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Abstract 

We define a language CQP (Communicating Quantum 
Processes) for modelling systems which combine quan- 
tum and classical communication and computation. 
CQP combines the communication primitives of the pi- 
calculus with primitives for measurement and transfor- 
mation of quantum state; in particular, quantum bits 
(qubits) can be transmitted from process to process 
along communication channels. CQP has a static type 
system which classifies channels, distinguishes between 
quantum and classical data, and controls the use of 
quantum state. We formally define the syntax, oper- 
ational semantics and type system of CQP, prove that 
the semantics preserves typing, and prove that typing 
guarantees that each qubit is owned by a unique process 
within a system. We illustrate CQP by defining models 
of several quantum communication systems, and outline 
our plans for using CQP as the foundation for formal 
analysis and verification of combined quantum and clas- 
sical systems. 

1 Introduction 

Quantum computing and quantum communication have 
attracted growing interest since their inception as re- 
search areas more than twenty years ago, and there has 
been a surge of activity among computer scientists dur- 
ing the last few years. While quantum computing offers 
the prospect of vast improvements in algorithmic effi- 
ciency for certain problems, quantum cryptography can 
provide communication systems which will be secure 
even in the presence of hypothetical future quantum 
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computers. As a practical technology, quantum com- 
munication has progressed far more rapidly than quan- 
tum computing. Secure communication involving quan- 
tum cryptography has recently been demonstrated in a 
scenario involving banking transactions in Vienna JJlj, 
systems are commercially available from Id Quantique, 
MagiQ Technologies and NEC, and plans have been re- 
ported to establish a nationwide quantum communica- 
tion network in Singapore. Secure quantum communi- 
cation will undoubtedly become a fundamental part of 
the technological infrastructure of society, long before 
quantum computers can tackle computations of a useful 
size. 

However, secure quantum communication is not a 
solved problem. Although particular protocols have 
been mathematically proved correct (for example, May- 
ers' analysis of the Bennett-Brassard protocol 
(BB84) 12] for quantum key distribution) , this does not 
guarantee the security of systems which use them. Ex- 
perience of classical security analysis has shown that 
even if protocols are theoretically secure, it is difficult 
to achieve robust and reliable implementations of se- 
cure systems: security can be compromised by flaws at 
the implementation level or at the boundaries between 
systems. To address this problem, computer scientists 
have developed an impressive armoury of techniques 
and tools for formal modelling, analysis and verification 
of classical security protocols and communication sys- 
tems which use them |21j . These techniques have been 
remarkably successful both in establishing the security 
of new protocols and in demonstrating flaws in proto- 
cols which had previously been believed to be secure. 
Their strength lies in the ability to model systems as 
well as idealized protocols, and the flexibility to easily 
re-analyze variations in design. 

Our research programme is to develop techniques 
and tools for formal modelling, analysis and verification 
of quantum communication and cryptographic systems. 
More precisely we aim to handle systems which com- 



bine quantum and classical communication and com- 
putation, for two reasons: the first quantum communi- 
cation systems will implement communication between 
classical computers; and protocols such as BB84 typi- 
cally contain classical communication and computation 
as well as quantum cryptography. We cannot simply 
make use of existing techniques for classical security 
analysis: for example, treating the security of quan- 
tum cryptography axiomatically would not permit anal- 
ysis of the protocols which construct quantum crypto- 
graphic keys. Furthermore, the inherently probabilistic 
nature of quantum systems means that not all verifica- 
tion consists of checking absolute properties; we need a 
probabilistic modelling and analysis framework. 

Any formal analysis which involves automated tools 
requires a modelling language with a precisely-defined 
semantics. The purpose of this paper is to define a 
language, CQP (Communicating Quantum Processes), 
which will serve as the foundation for the programme 
described above. CQP combines the communication 
primitives of the pi-calculus I28j with primitives for 
transformation and measurement of quantum state. In 
particular, qubits (quantum bits, the basic elements 
of quantum data) can be transmitted along commu- 
nication channels. In Section we introduce CQP 
through a series of examples which cover a wide spec- 
trum of quantum information processing scenarios: a 
quantum coin-flipping game; a quantum communica- 
tion protocol known as teleportation; and a quantum 
bit-commitment protocol. The latter will lead naturally 
to a model of the BB84 quantum key-distribution pro- 
tocol in future work. In Section 01 we formalize the syn- 
tax of CQP and define an operational semantics which 
combines non-determinism (arising in the same way as 
in pi-calculus) with the probabilistic results of quan- 
tum measurements. In SectionElwe define a static type 
system which classifies data and communication chan- 
nels, and crucially treats qubits as physical resources: 
if process P sends qubit q to process Q, then P must 
not access q subsequently, and this restriction can be 
enforced by static typechecking. In Section we prove 
that the invariants of the type system are preserved by 
the operational semantics, guaranteeing in particular 
that at every point during execution of a system, every 
qubit is uniquely owned by a single parallel component. 
In Section Ul we outline our plans for further work, fo- 
cusing on the use of both standard (non-deterministic) 
and probabilistic model-checking systems. 

Related Work 

There has been a great deal of interest in quantum pro- 
gramming languages, resulting in a number of proposals 
in different styles, for example [HI CEl E2 El EH ■ Such 



languages can express arbitrary quantum state transfor- 
mations and could be used to model quantum protocols 
in those terms. However, our view is that any model 
lacking an explicit treatment of communication is essen- 
tially incomplete for the analysis of protocols; certainly 
in the classical world, standard programming languages 
are not considered adequate frameworks in which to an- 
alyze or verify protocols. Nevertheless, Selinger's func- 
tional language QPL in particular has influenced 
our choice of computational operators for CQP. 

The closest work to our own, developed simultane- 
ously but independently, is Jorrand and Lalire's QPAlg 
Q, which also combines process-calculus-style commu- 
nication with transformation and measurement of quan- 
tum state. The most distinctive features of our work 
are the type system and associated proofs, the explicit 
formulation of an expression language which can easily 
be extended, and our emphasis on a methodology for 
formal verification. 

The work of Abramsky and Coecke is also rele- 
vant. They define a category-theoretic semantic founda- 
tion for quantum protocols, which supports reasoning 
about systems and exposes deep connections between 
quantum systems and programming language seman- 
tics, but they do not define a formal syntax in which to 
specify models. It will be interesting to investigate the 
relationship between CQP and the semantic structures 
which they propose. 

2 Preliminaries 

We briefly introduce the aspects of quantum theory 
which are needed for the rest of the paper. For more 
detailed presentations we refer the reader to the books 
by Gruska ^ and Nielsen and Chuang (TJ]. Rieffel and 
Polak 120] give an account aimed at computer scientists. 

A quantum hit or quhit is a physical system which 
has two states, conventionally written |0) and |1), cor- 
responding to one-bit classical values. These could be, 
for example, spin states of a particle or polarization 
states of a photon, but we do not consider physical de- 
tails. According to quantum theory, a general state of 
a quantum system is a superposition or linear combi- 
nation of basis states. Concretely, a qubit has state 
ajO) -|- where a and (3 are complex numbers such 
that jap -f = 1; states which differ only by a (com- 
plex) scalar factor with modulus 1 are indistinguishable. 
States can be represented by column vectors: 

Superpositions are illustrated by the quantum coin- 
flipping game which we discuss in Section f^.H Formally, 
a quantum state is a unit vector in a Hilbert space, i.e. 
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a complex vector space equipped with an inner product 
satisiying certain axioms. In this paper we will restrict 
attention to collections of qubits. 

The basis {|0), |1)} is known as the standard basis. 
Other bases are sometimes of interest, especially the 
diagonal (or dual, or Hadamard) basis consisting of the 
vectors |+) - ^(|0) + |1)) and h> = ^(|0) - |1)). For 
example, with respect to the diagonal basis, |0) is in a 
superposition of basis states: 



|0)- 



Evolution of a closed quatum system can be de- 
scribed by a unitary transformation. If the state of 
a qubit is represented by a column vector then a uni- 
tary transformation U can be represented by a complex- 
valued matrix (wy) such that U = U* , where U* is the 
conjugate-transpose of U (i.e. element ij of U* is uji). 
U acts by matrix multiplication: 



[uio Uii 



A unitary transformation can also be defined by its ef- 
fect on basis states, which is extended linearly to the 
whole space. For example, the Hadamard transforma- 
tion is defined by 
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which corresponds to the matrix 



The Hadamard transformation creates superpositions: 
H|0) = |-|-) andH|l) = |-). We wiU also make use of the 
Pauli transformations, denoted by either /, a^TCTy, or 

fO: CTl: 0'2, CTs: 
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A key feature of quantum physics is the role of mea- 
surement. If a qubit is in the state a\0) + (3\1) then 
measuring its value gives the result with probability 
jap (leaving it in state |0)) and the result 1 with proba- 
bility (leaving it in state |1)). Protocols sometimes 
specify measurement with respect to a different basis, 
such as the diagonal basis; this can be expressed as a 
unitary change of basis followed by a measurement with 
respect to the standard basis. Note that if a qubit is 



in state |-|-) then a measurement with respect to the 
standard basis give result (and state |0)) with prob- 
ability i, and result 1 (and state |1)) with probability 
i. If a qubit is in state |0) then a measurement with 
respect to the diagonal basis gives result^ (and state 
|-|-)) with probability i, and result 1 (and state |— ))) 
with probabihty i, because of the representation of |0) 
in the diagonal basis noted above. If a classical bit is 
represented by a qubit using either the standard or di- 
agonal basis, then a measurement with respect to the 
correct basis results in the original bit, but a measure- 
ment with respect to the other basis results in or 1 
with equal probability. This behaviour is used by the 
quantum bit-commitment protocol which we discuss in 
Section 13.31 

To go beyond single-qubit systems, we consider ten- 
sor products of spaces (in contrast to the cartesian 
products used in classical systems). If spaces U and 
V have bases {ui} and {vj} then U <^ V has basis 
{ui (g) Vj}. In particular, a system consisting of n 
qubits has a 2"-dimensional space whose standard ba- 
sis is |00 . . . 0) . . . |11 . . . 1). We can now consider mea- 
surements of single qubits or collective measurements 
of multiple qubits. For example, a 2-qubit system has 
basis |00), |01), |10), |11) and a general state is a|00) + 
/3|0D + 7|10) + <5|1D with lap + |/3|2 + |^|2 + |j|2 = i. 
Measuring the first qubit gives result with probability 
|ap -I- |/3p (leaving the system in state j^j|7^|gp(«|00) -I- 
/3|01))) and result 1 with probability I7P + |5p (leav- 
ing the system in state (7|fO) + <5|11)))- Mea- 
suring both qubits simultaneously gives result with 
probability \a\'^ (leaving the system in state |00)), re- 
sult 1 with probability |/3p (leaving the system in state 
|01)) and so on; note that the association of basis states 
|00), |01), |10), |11) with results 0,1,2,3 is just a con- 
ventional choice. The power of quantum computing, 
in an algorithmic sense, results from calculating with 
superpositions of states; all the states are transformed 
simultaneously {quantum parallelism) and the effect in- 
creases exponentially with the dimension of the state 
space. The challenge in quantum algorithm design is to 
make measurements which enable this parallelism to be 
exploited; in general this is very difficult. 

We will make use of the conditional not (CNot) 
transformation on pairs of qubits. Its action on basis 
states is defined by 



|00) ^ |00) |01) ^ |01) |10) 



IID 



111) 



|10) 



which can be understood as inverting the second qubit 
if and only if the first qubit is set, although in general 
we need to consider the effect on non-basis states. 



^Strictly speaking, the outcome of the measurement is just the 
final state; the specific association of numerical results with final 
states is a matter of convention. 
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Systems of two or more qubits can exhibit the phe- 
nomenon of entanglement, meaning that the states of 
the c^ubits are correlated. For example, consider a mea- 
surement of the first qubit of the state :^(|00) + 
The result is (and resulting state |00)) with probabil- 
ity ^, or 1 (and resulting state |11)) with probability i. 
In either case a subsequent measurement of the second 
qubit gives a definite (non-probabilistic) result which is 
always the same as the result of the first measurement. 
This is true even if the entangled qubits are physically 
separated. Entanglement illustrates the key difference 
between the use of tensor product (in quantum systems) 
and cartesian product (in classical systems): an entan- 
gled state of two qubits is one which cannot be decom- 
posed as a pair of single-qubit states. Entanglement is 
used in an essential way in the quantum teleportation 
protocol which we discuss in Section [3. 21 That example 
uses the CNot transformation to create entanglement: 
CNot((H®/)|00)) = ^(|00) + |ll)). 

3 Examples of Modelling in CQP 

3.1 A Quantum Coin-Flipping Game 

Our first example is based on a scenario used by Meyer 
[l2) to initiate the study of quantum game theory. Play- 
ers P and Q play the following game: P places a coin, 
head upwards, in a box, and then the players take turns 
(Q, then P, then Q) to optionally turn the coin over, 
without being able to see it. Finally the box is opened 
and Q wins if the coin is head upwards. 

Clearly neither player has a winning strategy, but 
the situation changes if the coin is a quantum system, 
represented by a qubit (|0) for head upwards, |1) for 
tail upwards). Turning the coin over corresponds to the 
transformation di, and this is what P can do. But sup- 
pose that Q can apply H, which corresponds to trans- 
forming from head upwards (|0)) to a superposition of 
head upwards and tail upwards (:^(|0)-1-|1))), and does 
this on both turns. Then we have two possible runs of 
the game, (a) and (b): 



Action 


(a) 
State 




Action 


(b) 
State 




|0) 






|0) 




Q: H 






Q: H 






P: ai 




Ho» 


P: - 


^(10) ^ 




Q: H 


|0) 




Q: H 


|0) 





and in each case the coin finishes head upwards. To 
verify this we calculate that the state "^(|0) + |1)) is 
invariant under cti: 

1 o) vf (i) = vl (i. 



and that the Hadamard transformation H is self-inverse: 

71 (i -1)71(1 -1)^(0 1 

Meyer considers game-theoretic issues relating to the 
expected outcome of repeated runs, but we just model 
a single run in CQP (Figure QJ. Most of the syntax of 
CQP is based on typed pi-calculus, using fairly com- 
mon notation (for example, see Pierce and Sangiorgi's 
presentation [18)1. P and Q communicate by means of 
the typed channel s:^[Qbit] which carries qubits. It is 
a parameter of both P and Q. At the top level. System 
creates s with (new s :^[Qbit]) and starts P and Q in 
parallel. Q and System are also parameterized by x, 
the qubit representing the initial state of the coin. 

Q applies (x *= H) the Hadamard transformation to 
x; this syntax is based on Selinger's QPL 24 . This 
expression is converted into an action by {...}. Using 
a standard pi-calculus programming style, Q creates a 
channel t and sends (s! [a;, i] ) it to P along with the qubit 
X. P will use t to send the qubit back, and Q receives 
it with t?[z:Qbit], binding it to the name z in the rest 
of the code. Finally Q applies H again, and continues 
with some behaviour C(z). 

P contains two branches of behaviour, correspond- 
ing to the possibilities of applying (second branch) 
or not applying (first branch) the transformation ai. 
Both branches terminate with the null process 0. The 
branches are placed in parallel and the operational se- 
mantics means that only one of them interacts with Q; 
the other is effectively Garbage (different in each case). 

FigureElshows the execution (combining some steps) 
of System according to the operational semantics which 
we will define formally in Section ^ Reduction takes 
place on configurations (cr; (f>; P) where ct is a list of 
qubits and their collective state, lists the channels 
which have been created, and P is a process term. Note 
that the state of the qubits must be a global property in 
order to be physically realistic. We record the channels 
globally in order to give the semantics a uniform style; 
this is different from the usual approach to pi-calculus 
semantics, but (modulo garbage collection) is equivalent 
to expanding the scope of every new before beginning 
execution. 

The execution of System tracks the informal cal- 
culation which we worked through above. Our CQP 
model makes the manipulation of the qubit very ex- 
plicit; there are other ways to express the behaviour 
(including putting everything into a single process with 
no communication), but the point is that we have a 
framework in which to discuss such issues. 

^Simpler definitions can be obtained if we add guarded sums 
to CQP; there is then no need for the channel t. This is straight- 
forward but we have chosen instead to simpUfy the presentation 
of the semantics. 
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P(sr[Qbit]) = s?[y:Qbit,fr[Qbit]].t![2/].0 

I s?[y: Qbit, t r [Qbit]] .{y*=ai}. t\ [y] . 

0(a; : Qbit, sr [Qbit]) = {x *= H} . (new tr[Qbit])(s![a;,f] .f?[z:Qbit] . {z *= H} . C{z)) 

System{x :Qhit) = (new sr[Qbit])(P(s) | Q{x,s)) 

Figure 1: The quantum coin-flipping game in CQP 



X = |0) ; ; System{x) 

J, expand definition 

x = |0) ; ; (new s r [Qbit])(P(s) | Q{x, s)) 

J, create channel s 

x = \0);s;P{s)\Q{x,s) 

J, expand definitions 

X = |0) ; s ; 

s?[y:Qbit,tr[Qbit]].i![y].0 | : Qbit't r [Qbit]] . {y *= ai} . . 
I {a; *= H} . (new t r[Qb\t]){s\[x, t] . tl[z : Qbit] . {z *= H} . C{z) 

J, transform x 

2^=7f(|0) + |l));s; 
s?[2/ : Qbit, i r [Qbit]] . i![y] . I : Qbit, t r [Qbit]] . {y *= ai} . t![y] . 
I (new t r [Qbit])(s![a;, t] . tl[z : Qbit] . {z *= H} . C{z)) 

J, create channel t 

s?[y: Qbit, tr [Qbit]] .t\[y].0\ s?[j/:Qbit, i r[Qbit]] . {y *= ai} . t\[y] . 
\s\[x,t].t7[z:Qh\t].{z*=H}.C{z) 

^ \^ communication 

a^=73(|0) + |l»;s,i; x=^(|0) + |l));s,i; 

t![a;].0 I Garbage Garbage \ {x *= ai} . t\[x] . 

1 1?[^ : Qbit] . {z *= H} . C{z) \ t?[^:Qbit] . {z *= H} . ciz) 

J, \, transform x 

X = ^(jO) + |1)) ■,s,t; x = ^(|0) + |1)) ■,s,t; 

I Garbage | {a; *= H} . C{x) Garbage \ fJ.[x] . 

\t?[z:Qh\t].{z*=H}.C{z) 

J, J, communication 

x = \0) -,8, t; Garbage] C{x) x = ^{\0) + ; s,t; 

Garbage \ | {x*=H}. C{x) 

J, transform x 

X = |0) ; s, f ; Garbage | C(a;) 
Figure 2; Execution of the coin-flipping game 



^iice(a;: Qbit, c:^[0..3], 2;:Qbit) = {z,x*= CNot} . {z *= H} . c![measure z,x] .0 

Bo6(y: Qbit, cr [0..3]) = c?[r :0..3] . {y *= a^} . Use{y) 

5'2/siem(a;:Qbit, t/:Qbit, 2;:Qbit) = (new c-r[0..3]){Alice{x,c, z) | Bob{y,c)) 

Figure 3: Quantum teleportation in CQP 
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x,y,z = |001) + ^ |111) ; ; System{x, y, z) 

J, expand definition 

x,y,z= ^|001) + ^|111) ; ; (new cr[O..Z\){Alice{x, c, z) \ Bob{y, c)) 

J, create channel c 

x,y,z= ^|001) + -^\ni) ■,c;Alice{x,c,z) \ Bob{y,c) 

J, expand definitions 

a;,y,2=^|001) + ^|lll);c; 
{z, X *= CNot} . {z H} . c! [measure 2, x] . | c?[r :0..3] . {y *= 0-^} - Use{y) 

J, permute a:, y, z 

z,x,y-^|100) + ^|lll);c; 
{2, X *= CNot} . {z *= H} . c![measure 2, x] . | c?[r :0..3] . {y *= a^} - Use{y) 

J, transform z, x 

^,ar,2/=^|110) + ^|101);c; 
{2 *= H} . c![measure z,x] .0 \ c?[r :0..3] . {y *= cr^} . Use{y) 

J, transform z 

= i|001) + i|010) - i|101) - i|110) ; c; 
c![measure ^r,x] . | c?[r :0..3] . {y *= 0-^} . Use{y) 

I, measure 2, x 

|001);a,c; c![0] . | c?[r : 0..3] . {y *= . ?7.sY<;y)) 
ffl|.(z,a;,y= |010);a,c; c![l] . | c?[r :0..3] . {j/ *= a,} . [/se(y)) 
ffl|.(z,a;,2/= |101);a,c; c![2] . | c?[r :0..3] . {y *= a,} . [/se(y)) 
ffl|.(^,a;,y = |110);a,c; c![3] . | c?[r :0..3] . {y *= ctJ . C/se(y)) ^ 

i^j- i^j- 4:'^ 

z,x,y=\001);c; z,x,y = \010) ;c; z,x,y ^ \1Q1) z,x,y = \nO) 

c![0] .0 I c?[r:0..3] . c![l] . | c?[r : 0..3] . c![2] . | c?[r :0..3] . c![3] . | c?[r :0..3] . 
{y *= o-r-} . J7se(y) {y *= ct^} . J7se(y) {y *= ct^} . f/se(y) {y *= ar} ■ Use{y) 

J, J, J, J, communication 

2;,x,y = |001) ;c; 2;,x,y = |010) ;c; z,x,y = \101) ;c] z, y = |110) ; c ; 

{y *= ao} ■ Use{y) {y *= ai} . Use{y) {y *= a2} ■ Use{y) {y *= aa} . Use{y) 

J, J, J, J. transform y 

z,x,y = \001) z,x,y = \011) ■,c; z,x,y = -i\101) ■,c; z,x,y = -\111} ■,c; 

Use{y) Use{y) Use{y) Use{y) 

Figure 4: Execution of the quantum teleportation protocol 



Alice {sr[Qb\i\, c-r [0.3], z:Qb\t) = s? [x : Qb\t] . Alice {x,c, a) 
Bob'{tr[Qh\t],cr[0.3]) = t?[y : Qbit] . Bob{y, c) 

Source{sr[Qh\t],tr[Qh\t]) = (qbit x,y){{x *= H} . {x,y*= CNot} . s![a;] .i![y] . 0) 

System {z:Qh\t) = (new c-r[0.3], sr[Qh\t],tr[Qh\t]){AUce {s, c, z) | Bob'{t,c) \ Source{s,t)) 

Figure 5: Quantum teleportation with an EPR source 
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^/ice(a;: Bit,a;s:Bit List, cr[Qbit], dr[Bit], e ^[Int], / ^[Bit List]) = 
e![length(xs)] . AliceSend{x, length(xs), xs, xs, c, d, e, /) 

AliceSend{x:B\t,n:\nt,xs:B\t List,ys:Bit List, cr[Qbit], dr[Bit], er[lnt], /^[Bit List]) = 
if n = then AliceReceive(x, length (ys), ys, c, d, e, /) 

else (qbit q){ {if hd(a;s) = 1 then q *= else unit} . {if a; = 1 then q*=H else unit} . c\[q] . 
AliceSend{x, n — 1, tl(xs), ys, c, d, e, /)) 

AliceRecewe{x:B\t,n:\nt,ys:B\t List, [Bit], [Bit List]) = d?[g:B\t] .d\[x] . f\[ys] .0 

5o&(cr[Qbit],dr[Bit],er[lnt],/r[Bit List], [Bit]) = e7[n:\nt] . BobRecewe{[],n,c,d, f,r) 

BobReceive{m: {Bit *B'\t) List,n:lnt,cr[Qbit],dr[Bit],er[lnt],/r[Bit List], r T [Bit]) = 

if n = then r7[g:B\t] .d\[g] .dl [a -.Bit] . /?[ws:Bit List] . BobVerify{m,vs,a,\ength{m)) 

else c?[a;: Qbit] . r?[y : Bit] . {if y = 1 then a; *= H else unit} . BobReceive{m@[{y, measure x)],n — 1, c, d,r) 

BobVerify{m: {Bit* Bit) List,t)s:Bit List, a: Bit, n: Int) = 
if n = then Verified 
else if fst(hd(m)) = a then 

if snd(hd(TO)) = hd(ws) then BobVerify{t\{m),t\{vs),a,n — 1) 

else NotVerified 
else BobVerify{t\{m),t\{vs),a,n — 1) 

i?andom(r :^[Bit]) = (qbit q){{q *= H} .r![measure q\ . Random{r)) 

Systern{x : Bit, xs : Bit List) = 

(new cr[Qbit],dr[Bit],er[lnt],/r[Bit List], [Bit]) 

{Alice{x, xs, c, d, e, /) | Bob{c, d, e, f, r) \ Random{r)) 

Figure 6: Quantum bit-commitment in CQP 

T ::= Int I Unit I Qbit |^[f] I Op(l) I Op(2) I ... 
V ::= a; I I 1 I ... I unit | H | ... 
e ::= v \ measure e | e *= e | e+e 

P ::= I (P I P) I e?[S:T].P I e![?].P I {e}.P I (new a;:T)P I (qbit a;)P 

Figure 7: Syntax of CQP 

•••|9|c^ 

[ ] I measure E, e \ measure v,E,e \ ... | measure v,E \ E,e*=e \ v,E,e*=e 
I ... I^^y *= £; I E+e I v+E 

[]?[x:T].P\[m.P\v\[[m.P\v\[v,[m.P\ ... \v\[v,[]].P\{[]}.P 

Figure 8: Internal syntax of CQP 

P|0 = P P\Q = Q\P P\{Q\R) = {P\Q)\R 

(S-Nil) (S-Comm) (S-Assoc) 

Figure 9: Structural congruence 



V ::= 
E ::= 

F ::= 
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3.2 Quantum Teleportation 

The quantum teleportation protocol [J is a procedure 
for transmitting a quantum state via a non-quantum 
medium. This protocol is particularly important: not 
only is it a fundamental component of several more com- 
plex protocols, but it is likely to be a key enabling tech- 
nology for the development of the quantum repeaters |2| 
which will be necessary in large-scale quantum commu- 
nication networks. 

Figure 131 shows a simple model of the quantum tele- 
portation protocol. Alice and Bob each possess one 
qubit (a; for Alice, y for Bob) of an entangled pair whose 
state is -^(|00) + At this point we are assuming 

that appropriate qubits will be supplied to Alice and 
Bob as parameters of the system. Alice is also parame- 
terized by a qubit z, whose state is to be teleported. She 
applies {z, x *= CNot) the conditional not transforma- 
tion to z and x and then applies (z*= H) the Hadamard 
transformation to z, finally measuring z and x to yield a 
two-bit classical value which she sends (c![measure z, x]) 
to Bob on the typed channel c:^[0..3] and then termi- 
nates (0). Bob receives (c?[r:0..3]) this value and uses 
it to select'^ a Pauli transformation cto . . . era to apply 
(y *= <Tr) to y. The result is that Bob's qubit y takes 
on the state of z, without a physical qubit having been 
transmitted from Alice to Bob. Bob may then use y in 
his continuation process Use{y). 

This example introduces measurement, with a syn- 
tax similar to that of Selinger's QPL [21]. We treat 
measurement as an expression, executed for its value as 
well as its side-effect on the quantum state. Because the 
result of a measurement is probabilistic, evaluation of a 
measure expression introduces a probability distribution 
over configurations: fflo^i^nPi • {c^i', (f'i'i Pi)- The next 
step is a probabilistic transition to one of the configu- 
rations; no reduction takes place underneath a proba- 
bility distribution. In general a configuration reduces 
non-deterministically to one of a collection of probabil- 
ity distributions over configurations (in some cases this 
is trivial, with only one distribution or only one configu- 
ration within a distribution). A non-trivial probability 
distribution makes a probabilistic transition to a single 
configuration; this step is omitted in the case of a trivial 
distribution. 

Figure 21 shows the complete execution of System in 
the particular case in which z, the qubit being tele- 
ported, has state The measurement produces a 
probability distribution over four configurations, but 
in all cases the final configuration (process Use{y)) 
has a state consisting of a single basis vector in which 
y = To verify the protocol for an arbitrary qubit, 

''We can easily extend the expression language of CQP to allow 
explicit testing of r. 



we can repeat the calculation with initial state x,y, z = 

^(1000) + 1110)) -1-^(1001) -Mill)). 

Alice and Bob are parameterized by their parts {x, y) 
of the entangled pair (and by the channel c) . We can be 
more explicit about the origin of the entangled pair by 
introducing what is known in the physics literature as 
an EPR source^ (computer scientists might regard it as 
an entanglement server). This process constructs the 
entangled pair (by using the Hadamard and controlled 
not transformations) and sends its components to Alice 
and Bob on the typed channels s,i:^[Qbit]. Figure El 
shows the revised model. 

3.3 Bit-Commitment 

The bit-commitment problem is to design a protocol 
such that Alice chooses a one-bit value which Bob then 
attempts to guess. The key issue is that Alice must 
evaluate Bob's guess with respect to her original choice 
of bit, without changing her mind; she must be com- 
mitted to her choice. Similarly, Bob must not find out 
Alice's choice before making his guess. Bit-commitment 
turns out to be an important primitive in cryptographic 
protocols. Classical bit-commitment schemes rely on 
assumptions on the computational complexity of cer- 
tain functions; it is natural to ask whether quantum 
techniques can remove these assumptions. 

We will discuss a quantum bit-commitment protocol 
due to Bennett and Brassard (2j which is closely related 
to the quantum key-distribution protocol proposed in 
the same paper and known as BB84. The following 
description of the protocol is based on Gruska's 0^ pre- 
sentation. 

1. Alice randomly chooses a bit x and a sequence of 
bits xs. She encodes xs as a sequence of qubits 
and sends them to Bob. This encoding uses the 
standard basis (representing by |0) and 1 by |1)) 
if X = 0, and the diagonal basis (representing by 
1+) and 1 by |-)) if a; = 1. 

2. Upon receiving each qubit. Bob randomly chooses 
to measure it with respect to either the standard 
basis or the diagonal basis. For each measurement 
he stores the result and his choice of basis. If the 
basis he chose matches Alice's x then the result of 
the measurement is the same as the corresponding 
bit from xs; if not, then the result is or 1 with 
equal probability. After receiving all of the qubits, 
Bob tells Alice his guess at the value of x. 

3. Alice tells Bob whether or not he guessed correctly. 
To certify her claim she sends xs to Bob. 

■^EPR stands for Einstein, Podolsky and Rosen. 
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4. Bob verifies Alice's claim by looking at the mea- 
surements in which he used the basis correspond- 
ing to X, and checking that the results are the same 
as the corresponding bits from xs. He can also 
check that the results of the other measurements 
are sufficiently random (i.e. not significantly corre- 
lated with the corresponding bits from xs). 

Figure El shows our model of this protocol in CQP. 
The complexity of the definitions refiects the fact that 
we have elaborated much of the computation which is 
implicit in the original description. The definitions use 
the following features which are not present in our for- 
malization of CQP, but can easily be added. 

• The type constructor List and associated functions 
and constructors such as hd, tl, length, [], @. 

• Product types (*) and functions such as fst, snd. 

• if — then — else for expressions and processes. 

• Recursive process definitions. 

Alice is parameterized by x and xs; they could be ex- 
plicitly chosen at random if desired. Bob uses m to 
record the results of his measurements, and n (received 
from Alice initially) as a recursion parameter. Boh re- 
ceives random bits, for his choices of basis, from the 
server Random: he also guesses x randomly. The state 
BobVerify carries out the first part of step (4) above, 
but we have not included a check for non-correlation of 
the remaining bits. 

Communication between Alice and Bob uses four 
separate channels, c, . . . , f. This proliferation of chan- 
nels is a consequence of the fact that our type system 
associates a unique message type with each channel. In- 
troducing session types 25 would allow a single channel 
to be used for the entire protocol, although it is worth 
noting that depending on the physical implementation 
of qubits, separation of classical and quantum channels 
might be the most accurate model. 

We intend to use this CQP model as the basis for 
various kinds of formal analysis of the bit-commitment 
protocol; we make some specific suggestions in Sec- 
tion 13 We should point out, however, that this bit- 
commitment protocol is insecure in that it allows Alice 
to cheat: if each qubit which she sends to Bob is part of 
an entangled pair, then Bob's measurements transmit 
information back to Alice which she can use to change 
X after receiving Bob's guess. The real value of quan- 
tum bit-commitment is as a stepping-stone to the BB84 
quantum key-distribution protocol, which has a very 
similar structure and is already being used in practical 
quantum communication systems. 



4 SyntELX and Operational Semantics 

We now formally define the syntax and operational se- 
mantics of the core of CQP, excluding named process 
definitions and recursion, which can easily be added. 

4.1 Syntax 

The syntax of CQP is defined by the grammar in Fig- 
ure[7| Types T consist of data types such as Int and Unit 
(others can easily be added), the type Qbit of qubits, 
channel types ^[Ti, . . . ,T„] (specifying that each mes- 
sage is an n-tuple with component types Ti, . . . , T„) and 
operator types Op(n) (the type of a unitary operator on 
n qubits). The integer range type 0..3 used in the tele- 
portation example is purely for clarification and should 
be replaced by Int; we do not expect to typecheck with 
range types. ^ 

We use the notation T = Ti , . . . , T„ and e = 
ei, . . . , e„ and write |e| for the length of a tuple. Values 
V consist of variables {x, y, z etc.), literal values of data 
types (0, 1, . . . and unit) and unitary operators such as 
the Hadamard operator H. Expressions e consist of val- 
ues, measurements measure ei,...,e„, applications of 
unitary operators ei, . . . , e„ e, and expressions in- 
volving data operators such as e -I- e' (others can easily 
be added) . Note that although the syntax refers to mea- 
surements and transformation of expressions e, the type 
system will require these expressions to refer to qubits. 
Processes P consist of the null (terminated) process 0, 
parallel compositions P \ Q, inputs e?[x:T] .P (nota- 
tion: X :T — x\ : Tl, . . . , x„ : T„, declaring the types of 
all the input-bound variables), outputs e![e| . P, actions 
{e} . P (typically e will be an application of a unitary 
operator), channel declarations (new x:T)P and qubit 
declarations (qbit x)P. In inputs and outputs, the ex- 
pression e will be constrained by the type system to 
refer to a channel. 

The grammar in Figure |H1 defines the internal syn- 
tax of CQP, which is needed in order to define the op- 
erational semantics. Values are extended by two new 
forms: qubit names q, and channel names c. Evalu- 
ation contexts E[] (for expressions) and F[] (for pro- 
cesses) are used in the definition of the operational se- 
mantics, in the style of Wright and Felleisen |21]. The 
structure of E[] is used to define call-by- value evalua- 
tion of expressions; the hole [] specifies the first part of 
the expression to be evaluated. The structure of F[] is 
used to define reductions of processes, specifying which 
expressions within a process must be evaluated. 

Given a process P we define its free variables fv{P), 
free qubit names fq{P) and free channel names fc{P) 
in the usual way; the binders (of x or x) are y7[x:T], 
(qbit x) and (new x:T). 
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(cr; 0; u+v) — >v (f ; w) if w and v are integer literals and u + v = w 
(go,---,9n-i =q:o|'0o) H |-a2"_i|'(/'2"-i);</'; measure go, ■ • ■ , — >v 

fflos;m<2'-Pm • (^O, • ■ • , = ^1^'™) ^ I ) i 0; m) 

where U = 2"-' m, u,„ = 2"-''(m + 1) A, p,„ = p • • + |a„„ p 



((Jo, • ■ • = 1-0); 0; go, • ■ • *= U) — >v (go, • ■ • = (J/® /„-r)|'/');0; unit) 

where [/ is a unitary operator of arity r 

(go, • ■ • ,gn-i = IV');'/'; e) — *v (g^(o), • ■ • ,97r(«-i) = n|?/');0;e) 
where tt is a permutation and 11 is the corresponding unitary operator 



{(j;(f);e) 



Pi • icTi] (jjf, e^) 



Pi • {<Ji]4>i]E[ei\) 



(R-Plus) 
(R-Measure) 

(R-Trans) 
(R-Perm) 
(R-Context) 



Figure 10: Reduction rules for expression configurations 



4.2 Operational Semantics 

The operational semantics of CQP is defined by reduc- 
tions (small-step evaluations of expressions, or inter- 
process communications) and probabilistic transitions. 
The general form of a reduction is t — > ffl^ pi • ti where 
t and the ti are configurations consisting of expres- 
sions or processes with state information. The nota- 
tion fflj Pi • ti denotes a probability distribution over 
configurations, in which T,iPi = 1; we may also write 
this distribution as pi • ffl • • • ffl p„ • t„ . If the proba- 
bility distribution contains a single configuration (with 
probability 1) then we simply write t — > t' . Probabil- 
ity distributions reduce probabilistically to single con- 
figurations: ffli Pi'ti ti (with probability pi, the 
distribution ffl^ pi • ti reduces to ti). 

The semantics of expressions is defined by the re- 
duction relations — >v and — >e (Figure EU, both 
on configurations of the form (ct; 0; e). If n qubits have 
been declared then a has the form go, ... , gn-i — \tp) 
where \ip) = ao\ipo) + ••• + a2"-i\ip2"-i) is an cl- 
ement of the 2"-dimensional vector space with basis 
\tpo) = |0 . . . 0), . . . , IV-a-^i) = |1 . . . 1). The remain- 
ing part of the configuration, cf), is a list of channel 
names. Reductions — >v are basic steps of evalua- 
tion, defined by the rules R-Plus (and similar rules for 
any other data operators), R-Measure and R-Trans. 
Rule R-Perm allows qubits in the state to be per- 
muted, compensating for the way that R-Measure and 
R-Trans operate on qubits listed first in the state. 
Measurement specifically measures the values of a col- 
lection of qubits; in the future we should generalize to 
measuring observables as allowed by quantum physics. 

Reductions — >e extend execution to evaluation 
contexts as defined by rule R-Context. Note that 
the probability distribution remains at the top level. 



Figure 1111 defines the reduction relation — > on 
configurations of the form (cr; (p; P). Rule R-Expr lifts 
reductions of expressions to contexts, again keeping 
probability distributions at the top level. Rule R-COM 
defines communication in the style of pi-calculus, mak- 
ing use of substitution, which is defined in the usual 
way (we assume that bound identifiers are renamed to 
avoid capture). Rule R-ACT trivially removes actions; 
in general the reduction of the action expression to v 
will have involved side-effects such as measurement or 
transformation of quantum state. Rules R-New and 
R-Qbit create new channels and qubits, updating the 
state information in the configuration. Note that this 
treatment of channel creation is different from standard 
presentations of the pi-calculus; we treat both qubits 
and channels as elements of a global store. Rule R-Par 
allows reduction to take place in parallel contexts, again 
lifting the probability distribution to the top level, and 
rule R-CONG allows the use of a structural congruence 
relation as in the pi-calculus. Structural congruence is 
the smallest congruence relation (closed under the pro- 
cess constructions) containing a-equivalence and closed 
under the rules in Figure |5| 

5 Type System 

The typing rules defined in Figure ^| apply to the syn- 
tax defined in Figure [3 Environments P are mappings 
from variables to types in the usual way. Typing judge- 
ments are of two kinds. P h e : T means that expres- 
sion e has type T in environment F. P h P means that 
process P is well- typed in environment F. The rules 
for expressions are straightforward; note that in rule 
T-Trans, xi, . . . ,Xn must be distinct variables of type 
Qbit. 
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(cr; 0; e) — >e Hi Pi • (o-i; 0i; 



(a; 0; F I Q) ^ ffl, k • (a,; | Q) 

P' = P {a-^-P)-^m,p,.{a,;(j),-P,) ^i.[P, = P[) 



(R-Expr) 



(cr; 4>] F[e]) — > ffli • {aucj)^; F\ei\) 

{a;(l)-c\^.P\cl[x:f].Q)~-^{<j-^-P\Q{vlx}) ii\v\ = \x\ (R-Com) 

(a;0;{«}.P)-^(a;0;P) (R-Act) 

(cr; 0; (new a;: r)P) — > {a]4',c\ P{c/ x}) where c is fresh (R-New) 

(go, . . . ,g„ = 0; (qbit x)P) — > (go, . . . , g„, g = ® |0);(?!); P{g/a;}) where g is fresh (R-Qbit) 

(cr; 0; P) — > ffli Pi • (cr^; 0^; P^) 



(R-Par) 
(R-Cong) 



(a;0;P') ^ffl^ . (a,; 0,; P/) 
ffl, • (cr^; 0,; P,) ^ (cr,;; 0^; P^) (R-Prob) 



Figure 11: Reduction rules for process configurations 



In rule T-Par the operation + on environments 
(Definition ^ is the key to ensuring that each qubit 
is controlled by a unique part of a system. An implicit 
hypothesis of T-Par is that Fi + F2 must be defined. 
This is very similar to the linear type system for the 
pi-calculus, defined by Kobayashi et al. jHI- 

Definition 1 (Addition of Environments) 

The partial operation of adding a typed variable to an 
environment, T + x:T, is defined by 

T + x:T — T,x:T if x ^ dom(T) 

r + x:T ^ r ifT ^ Qbit andx:T eT 

T + x:T — undefined, otherwise 

This operation is extended inductively to a partial oper- 
ation T + A on environments. 

Rule T-OuT allows output of classical values and 
qubits to be combined, but the qubits must be distinct 
variables and they cannot be used by the continuation 
of the outputting process (note the hypothesis F h P). 
The remaining rules are straightforward. 

According to the operational semantics, execution of 
(qbit ) and (new ) declarations introduces qubit names 
and channel names. In order to be able to use the type 
system to prove results about the behaviour of execut- 
ing processes, we introduce the internal type system 
(Figure [T5|l . This uses judgements F; E; $ h e : T and 
F; S; <I> h P where E is a set of qubit names and <I> is 
a mapping from channel names to channel types. Most 
of the typing rules are straightforward extensions of the 
corresponding rules in Figure 1121 Because references 
to qubits may now be either variables or explicit qubit 



names, the rules represent them by general expressions 
e and impose conditions that e is either a variable or 
a qubit name. This is seen in rules IT-Trans and 
IT-OUT. Note that in IT-Par, the operation Si -I- E2 
is disjoint union and an implicit hypothesis is that Si 
and S2 are disjoint. 

By standard techniques for linear type systems, the 
typing rules in Figure IT?! can be converted into a type- 
checking algorithm for CQP models. 

As an illustration of the linear control of qubits, con- 
sider the coin-flipping example (Figure^. In P, any 
non-trivial continuation replacing would not be able 
to use the qubit y, which has been sent on t. In Q, after 
the qubit x has been sent on s, the continuation cannot 
use X. Of course, at run-time, the qubit variable z in 
t7[z : Qbit] is instantiated by x, but that is not a problem 
because P does not use x after sending it. In System, x 
is used as an actual parameter of Q and therefore could 
not also be used as an actual parameter of P (if P had 
a formal parameter of type Qbit). 

6 Soundness of the Type System 

We prove a series of standard lemmas, following the ap- 
proach of Wright and Felleisen 28 , leading to a proof 
that typing is preserved by execution of processes (The- 
orem^. We then prove that in a typable process, each 
qubit is used by at most one of any parallel collection 
of sub-processes (Theorem|2Il ; because of type preserva- 
tion, this property holds at every step of the execution 
of a typable process. This reflects the physical reality 
of the protocols which wc want to model. 
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r h V : Int if is an integer literal 
r h H : Op(2) etc. 
r h e : Int T h e' : Int 



r h unit : Unit 

r,x:T\- X : T 

r h r : Obit 



r h e+e' : Int r h measure e : Int 

\/i.{xi : Qbit e T) Xi...Xn distinct T \- U : Op(n) 



r \- xi, . . . ,Xn*= U : Unit 



r h 



Ti + r2 h P I Q 
r,a;:Qbith P 



rhxr[Ti,...,r„] T,yi:Ti,...,yn:Tnh P 

T^x7[yi:n,...,y„:Xa].P T h (qbit x)P 

rh a; :^[ri,...,T„,Qbit, ...,Qbit] Vi.(r^ ^ Qbit) Vi.(r h e, : T,) yi distinct ThP 
r, yi : Qbit . . . , y„ : Qbit h x![ei, . . . , e^, yi, . . . , y„] . P 

rheiT rhP r,a;r[ri,...,T„] hP 



rh{e}.P 



rh (new a;r[ri,...,r„])p 



(T-IntLit/T-Unit) 
(T-Op/T-Var) 

(T-Plus/T-Msure) 
(T-Trans) 
(T-Nil/T-Par) 
(T-1n/T-Qbit) 
(T-Out) 
(T-Act/T-New) 



Figure 12: Typing rules 



F; S; $ h w : Int if w is an integer literal 
F; S; $ h H : Op(2) etc. 
F;S,g;$ h g : Qbit 

r;E:<5hr:lnt r:E:$hf':lnt 
F; E; $ h e+e' : Int 



F;S;$ h unit : Unit 
T,x:T; S; $ h a; : T 
F;S;$,c:Thc:T 

F; E; $ h e : QbTt 
F; S; $ h measure e : Int 



Vi.(r: S: $ h c, : Qbit) T: S: <I> h T/ : Op(;)) oacli c, is dilior .r, or q,. all distinct 



F; E; $ h ei, . . . , e„ *= f/ : Unit 



F;S;$ h 



Fi;Si;$hP F2;S2;$hQ 



Fi + F2;Si + S2;$hP|Q 
F;S;$her[Ti,...,T„] F, yi :Ti, . . . , t/„ :T„; S; $ h P F,ar:Qbit; S; $ h P 



F;S;$he?[t/i:Ti,...,y„:T„].P 



F;S;$h (qbit x)P 



F;I];$ h e r[r,Qbit] Vi.(P, 7^ Qbit) Vi.(F; S; $ h : T^) 
Vi.(F;E;$h /i : Qbit) r;I];$_hP 

/ consists of distinct variables fx and distinct qubit names fq 
F, : QbTt; S, Qbft; $ h e![ei, e„, /i ,...,/„]. P 

F;S;$he:T F; S; $ h P F, xTfTi, . . . , r„]; S; $ h P 



F;S;$h{e}.P 



F;E;$h (newa;r[Ti,...,T„])P 



(IT-1ntLit/1T-Unit) 
(IT-Op/1T-Var) 
(1T-IdQ/1T-IdC) 

(1T-Plus/1T-Msure) 
(IT-Trans) 
(IT-Nil/IT-Par) 
(IT-1n/1T-Qbit) 

(1T-0ut) 

(1T-Act/1T-New) 



Figure 13: Internal typing rules 
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We can also prove a standard runtime safety theo- 
rem, stating that a typable process generates no com- 
munication errors or incorrectly-apphed operators, but 
we have not included it in the present paper. 

Lemma 1 (Typability of Subterms in E) 

If T) is a typing derivation concluding F; S; $ h i?[e] : T 
then there exists U such that T) has a subderivation T)' 
concluding F; E; $ h e : U and the position of D' in D 
corresponds to the position of the hole in E[\. 

Proof: By induction on the structure of £'[]. □ 
Lemma 2 (Replacement in E) If 

1. T> is a derivation concluding F; E; $ h E[e] : T 

2. V is a subderiv. of T> concluding F; S; $ h e : [/ 

3. the position ofV in T> matches the hole in E[] 
I F;S;$ h e' : f/ 

then F; E; $ h E[e'] : T. 

Proof: Replace V in P by a deriv. of F; S; $ h e' : [/.□ 

Lemma 3 (Type Preservation for >v ) 

// F; E; $ h e : T and (cr; (j); e) — >v ^iPi • (^i; (pf, e^) 
and E = dom{a) and (j) = dom(^) then yi.{ai = a) and 
Vi.((/)i = (j)) and V«.(F; E; $ h e, : T). 

Proof: Straightforward from the definition of — by 
examining each case. □ 

Lemma 4 (Type Preservation for >e ) 

// F; E; <& h e : T and (cr; 0; e) — >e ffliPi • (o-^; 0^; e,;) 
and E = dom{a) and (j) — dom{^) then yi.{ai — a) and 
yi.((t)^ = (j)) and Vi.(F; E; $ h : T). 

Proof: {a;4>\e) — >e HiK • (f i; 0^; e^) is derived by 
R-CONTEXT, so for some E[\ we have e = E[f] and 
Vi.(ei = E[fi]) and (cr; 0; /) — ffliPi • (cr^; 0^; /j). 
From F; E; $ h E[f \ : T, Lemma [T] gives F; E; 3> h / : [/ 
for some U, Lemma |31 gives Vi.(F;E;$ h f — i : U) 
and yi.{ai = a) and yi.{(j)i = (f>), and Lemma [21 gives 
Vi.(r; E;$h £;[/,;] :T). □ 

Lemma 5 (Typability of Subterms in F) 

If T> is a typing derivation concluding F; E; $ h F[e] 
then there exists T such that T) has a subderivation V 
concluding F; E; $ h e : T and the position of V in T) 
corresponds to the position of the hole in F[\. 

Proof: By case-analysis on the structure of □ 

Lemma 6 (Replacement in F) If 

1. T> is a derivation concluding F; E; $ h F[e] 

2. V is a subderiv. ofT> concluding F; E; $ h e : T 



3. the position ofT>' in T> matches the hole in F[] 

4. F;E;$ h e' : T 
thenT;j:;<^\- E[e']. 

Proof: Replace V in I? by a deriv. of F; E; $ h e' : T.D 

Lemma 7 (Weakening for Expressions) 

// F; E; $ h e : T and F C F' and E C E' and $ C $' 
then F'; E'; $' h e : T. 

Proof: Induction on the derivation of F; E; $ h e : T. □ 
Lemma 8 

//F;E;$ h e : T then fv{e) C dom{V) and fq{e) C E 
and fc{e) C dom{^). 

Proof: Induction on the derivation of F; E; $ h e : T. □ 
Lemma 9 

//F; E; $ h P then fv{P) C dom(F) and fq{P) C E and 
fc{P) C dom{<^). 

Proof: Induction on the derivation of F; E; $ h P. □ 

Lemma 10 (Substitution in Expressions) 

Assume that F,2;:T;E;<I> h e : T and let v be values 
such that, for each i: 

1. if Ti = Qbit then Vi is a variable or a qubit name 

2. if Ti — Qbit and Vi ~ yi (a var) then yi ^T,x:T 

3. ifTi = Qbit and Vi — qi (a qubit name) then qi ^Ti 

4. if T, ^ Qbit then F; E; $ h v., : T,. 

Let y be the variables of type Qbit from v (correspond- 
ing to condition (2)) and assume that they are distinct; 
let q be the qubit names from v ( corresponding to con- 
dition (3)) and assume that they are distinct. Then 
F, y : Qbit; E, g; $ h e{v/x} : T. 

Proof: Induction on the deriv. of F, a;:T; E; $ h e : T.D 

Lemma 11 (Substitution in Processes) 

Assume that F,i?:r;E;$ h P and let v be values such 
that, for each i: 

1. ifTi — Qbit then Vi is a variable or a qubit name 

2. if Ti = Qbit and Vi ~ yi (a var) then yi ^T,x:T 

3. ifTi — Qbit and Vi = qi (a qubit name) then qi ^ T, 

4. if T, ^ Qbit then F; E; $ h v, : T,. 

Let y be the variables of type Qbit from v (correspond- 
ing to condition (2)) and assume that they are distinct; 
let q be the qubit names from v ( corresponding to con- 
dition (3)) and assume that they are distinct. Then 
F,y:Qb[t;E,g;$hP{?^/J}. 
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Proof: By induction on the derivation of F, a::T; S; $ h 
P. The key cases are T-Par and T-OuT. 

For T-Par the final step in the typing derivation has 
the form 

ri;Si;$hP F2;S]2;$hg 
F,J:T;S;$ h P \ Q 

where Fi + F2 = r,x : f and Si + ^2 = S. Each 
variable of type Qbit in F,a; : T is in exactly one 
of Fi and F2. Because the free variables of P and 
Q are contained in Fi and F2 respectively, substitu- 
tion into P I Q splits into disjoint substitutions into 
P and Q. The induction hypothesis gives typings for 
P{v/x} and Q{v/x}, which combine (by T-Par) to 
giveF,y:Qbh:;S,g;$hP|Q{v/J}. □ 

Lemma 12 (Struct. Cong. Preserves Typing) 

IfT-T.-^^ P and P = Q t/ie« F; S; $ h Q. 

Proof: Induction on the derivation oi P = Q. □ 

Lemma 13 (External/Internal Type System) 

F h e : T =^> F; 0; h e : T anrf F h P ^ F; 0; h P. 

Proof: Induction on the derivations. □ 

Theorem 1 (Type Preservation for > ) 

// F; S; $ h P and (cr; 0; P) > ffl^pi • ((7^; Pi) and 

S = dom{a) and (p — dom{^) then yi.{ai = a) and 
'ii.{(t>^ = (t>) and Vi.(F; S; $ h P,). 

Proof: By induction on the derivation of [a; 0; P) — s- 
ffliPi • {'^i]4'u Pi)j ill each case examining the final steps 
in the derivation of F; S; $ h P. □ 

Theorem 2 (Unique Ov^rnership of Qubits) 

//F;S;$ h P I Q then fq{P) n fq{Q) = 0. 

Proof: The final step in the derivation of F; E; $ h P | Q 
has the form 

ri;Si;$hP F2;S2;^hg 
F;I];$hP|Q 

where F = Fi + F2 and E = Si + £2- By Lemma 
flip) ^ ^1 a-nd fq{Q) C S2. The implicit hypothesis 
of the typing rule T-Par is that Ei + E2 is defined, 
meaning that Ei n E2 = 0. Hence fq{P)nfq{Q) = 0.n 

7 Future Work 

Our aim is to develop techniques for formal verifica- 
tion of systems modelled in CQP. In particular we 
are working towards an analysis of the BB84 quan- 
tum key distribution protocol, including both the core 
quantum steps and the classical authentication phase. 



Initially we will use model-checking, in both standard 
(non-deterministic) and probabilistic forms. Standard 
model-checking is appropriate for absolute properties 
(for example, the quantum teleportation protocol (Sec- 
tion 13.2(1 claims that the final state of y is always the 
same as the initial state of z). In general, however, 
probabilistic model-checking is needed. For example, 
the bit-commitment protocol (Section I3.3|l guarantees 
that, with some high probability which is dependent 
on the number of bits used by Alice, Bob's verification 
step is successful. We have obtained preliminary results 
[Ilini with the CWB-NC [T] and PRISM M systems, 
working directly with the modelling language of each 
tool. The next step is to develop automated transla- 
tions of CQP into these lower-level modelling languages; 
note that our operational semantics matches the seman- 
tic model used by PRISM. 

Another major area for future work is to develop a 
theory of equivalence for CQP processes, as a founda- 
tion for compositional techniques for reasoning about 
the behaviour of systems. 

We can also consider extending the language. It 
should be straightforward to add purely classical fea- 
tures such as functions and assignable variables. Ex- 
tensions which combine quantum data with enhanced 
classical control structures require more care. Valiron's 
recent formulation of a typed quantum lambda cal- 
culus seems very compatible with our approach, and it 
should fit into CQP's expression language fairly easily. 

8 Conclusions 

We have defined a language, CQP, for modelling sys- 
tems which combine quantum and classical communi- 
cation and computation. CQP has a formal operational 
semantics, and a static type system which guarantees 
that transmitting a qubit on a communication channel 
corresponds to a physical transfer of ownership. 

The syntax and semantics of CQP are based on a 
combination of the pi-calculus and an expression lan- 
guage which includes measurement and transformation 
of quantum state. The style of our definitions makes it 
easy to enrich the language. 

Our research programme is to use CQP as the basis 
for analysis and verification of quantum protocols, and 
we have outlined some possibilities for the use of both 
standard and probabilistic model-checking. 
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Abstract 

We define a language CQP (Communicating Quantum 
Processes) for modelling systems which combine quan- 
tum and classical communication and computation. 
CQP combines the communication primitives of the pi- 
calculus with primitives for measurement and transfor- 
mation of quantum state; in particular, quantum bits 
(qubits) can be transmitted from process to process 
along communication channels. CQP has a static type 
system which classifies channels, distinguishes between 
quantum and classical data, and controls the use of 
quantum state. We formally define the syntax, oper- 
ational semantics and type system of CQP, prove that 
the semantics preserves typing, and prove that typing 
guarantees that each qubit is owned by a unique process 
within a system. We illustrate CQP by defining models 
of several quantum communication systems, and outline 
our plans for using CQP as the foundation for formal 
analysis and verification of combined quantum and clas- 
sical systems. 

1 Introduction 

Quantum computing and quantum communication have 
attracted growing interest since their inception as re- 
search areas more than twenty years ago, and there has 
been a surge of activity among computer scientists dur- 
ing the last few years. While quantum computing offers 
the prospect of vast improvements in algorithmic effi- 
ciency for certain problems, quantum cryptography can 
provide communication systems which will be secure 
even in the presence of hypothetical future quantum 

'Partially supported by the UK EPSRC (GR/S34090) and the 
EU Sixth Framework Programme (Project SecoQC). 

An earlier version of this paper is in Proceedings of 
the 2nd International Workshop on Quantum Pro- 
gramming Languages, Turku Centre for Computer 
Science General Publication No. 33, June 2004. 



computers. As a practical technology, quantum com- 
munication has progressed far more rapidly than quan- 
tum computing. Secure communication involving quan- 
tum cryptography has recently been demonstrated in a 
scenario involving banking transactions in Vienna ^3, 
systems are commercially available from Id Quantique, 
MagiQ Technologies and NEC, and plans have been re- 
ported to establish a nationwide quantum communica- 
tion network in Singapore. Secure quantum communi- 
cation will undoubtedly become a fundamental part of 
the technological infrastructure of society, long before 
quantum computers can tackle computations of a useful 
size. 

However, secure quantum communication is not a 
solved problem. Although particular protocols have 
been mathematically proved correct (for example, May- 
ers' analysis of the Bennett-Brassard protocol 
(BB84) K for quantum key distribution) , this does not 
guarantee the security of systems which use them. Ex- 
perience of classical security analysis has shown that 
even if protocols are theoretically secure, it is difficult 
to achieve robust and reliable implementations of se- 
cure systems: security can be compromised by fiaws at 
the implementation level or at the boundaries between 
systems. To address this problem, computer scientists 
have developed an impressive armoury of techniques 
and tools for formal modelling, analysis and verification 
of classical security protocols and communication sys- 
tems which use them These techniques have been 
remarkably successful both in establishing the security 
of new protocols and in demonstrating fiaws in proto- 
cols which had previously been believed to be secure. 
Their strength lies in the ability to model systems as 
well as idealized protocols, and the fiexibility to easily 
re-analyze variations in design. 

Our research programme is to develop techniques 
and tools for formal modelling, analysis and verification 
of quantum communication and cryptographic systems. 
More precisely we aim to handle systems which com- 



bine quantum and classical communication and com- 
putation, for two reasons: the first quantum communi- 
cation systems will implement communication between 
classical computers; and protocols such as BB84 typi- 
cally contain classical communication and computation 
as well as quantum cryptography. We cannot simply 
make use of existing techniques for classical security 
analysis: for example, treating the security of quan- 
tum cryptography axiomatically would not permit anal- 
ysis of the protocols which construct quantum crypto- 
graphic keys. Furthermore, the inherently probabilistic 
nature of quantum systems means that not all verifica- 
tion consists of checking absolute properties; we need a 
probabilistic modelling and analysis framework. 

Any formal analysis which involves automated tools 
requires a modelling language with a precisely-defined 
semantics. The purpose of this paper is to define a 
language, CQP (Communicating Quantum Processes), 
which will serve as the foundation for the programme 
described above. CQP combines the communication 
primitives of the pi-calculus ^^^3 with primitives for 
transformation and measurement of quantum state. In 
particular, qubits (quantum bits, the basic elements 
of quantum data) can be transmitted along commu- 
nication channels. In Section Q we introduce CQP 
through a series of examples which cover a wide spec- 
trum of quantum information processing scenarios: a 
quantum coin-fiipping game; a quantum communica- 
tion protocol known as teleportation; and a quantum 
bit-commitment protocol. The latter will lead naturally 
to a model of the BB84 quantum key-distribution pro- 
tocol in future work. In Section^we formalize the syn- 
tax of CQP and define an operational semantics which 
combines non-determinism (arising in the same way as 
in pi-calculus) with the probabilistic results of quan- 
tum measurements. In Section0we define a static type 
system which classifies data and communication chan- 
nels, and crucially treats qubits as physical resources: 
if process P sends qubit q to process Q, then P must 
not access q subsequently, and this restriction can be 
enforced by static typechecking. In Section0we prove 
that the invariants of the type system are preserved by 
the operational semantics, guaranteeing in particular 
that at every point during execution of a system, every 
qubit is uniquely owned by a single parallel component. 
In Section Q we outline our plans for further work, fo- 
cusing on the use of both standard (non-deterministic) 
and probabilistic model-checking systems. 

Related Work 

There has been a great deal of interest in quantum pro- 
gramming languages, resulting in a number of proposals 
in different styles, for example 0^3^3^3^3- Such 



languages can express arbitrary quantum state transfor- 
mations and could be used to model quantum protocols 
in those terms. However, our view is that any model 
lacking an explicit treatment of communication is essen- 
tially incomplete for the analysis of protocols; certainly 
in the classical world, standard programming languages 
are not considered adequate frameworks in which to an- 
alyze or verify protocols. Nevertheless, Selinger's func- 
tional language QPL in particular has infiuenced 
our choice of computational operators for CQP. 

The closest work to our own, developed simultane- 
ously but independently, is Jorrand and Lalire's QPAlg 
Q, which also combines process-calculus-style commu- 
nication with transformation and measurement of quan- 
tum state. The most distinctive features of our work 
are the type system and associated proofs, the explicit 
formulation of an expression language which can easily 
be extended, and our emphasis on a methodology for 
formal verification. 

The work of Abramsky and Coecke Q is also rele- 
vant. They define a category-theoretic semantic founda- 
tion for quantum protocols, which supports reasoning 
about systems and exposes deep connections between 
quantum systems and programming language seman- 
tics, but they do not define a formal syntax in which to 
specify models. It will be interesting to investigate the 
relationship between CQP and the semantic structures 
which they propose. 

2 Preliminaries 

We briefiy introduce the aspects of quantum theory 
which are needed for the rest of the paper. For more 
detailed presentations we refer the reader to the books 
by Gruska jf^i and Nielsen and Chuang Rieffel and 
Polak EH 

give an account aimed at computer scientists. 
A quantum bit or qubit is a physical system which 
has two states, conventionally written |0) and cor- 
responding to one-bit classical values. These could be, 
for example, spin states of a particle or polarization 
states of a photon, but we do not consider physical de- 
tails. According to quantum theory, a general state of 
a quantum system is a superposition or linear combi- 
nation of basis states. Concretely, a qubit has state 
a|0) -|- where a and /3 are complex numbers such 

that |ap -|- = 1; states which differ only by a (com- 
plex) scalar factor with modulus 1 are indistinguishable. 
States can be represented by column vectors: 

(^) =«|0) + /3|1). 

Superpositions are illustrated by the quantum coin- 
fiipping game which we discuss in Section^^ Formally, 
a quantum state is a unit vector in a Hilbert space, i.e. 
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a complex vector space equipped with an inner product 
satisfying certain axioms. In this paper we will restrict 
attention to collections of qubits. 

The basis {|0), |1)} is known as the standard basis. 
Other bases are sometimes of interest, especially the 
diagonal (or dual, or Hadamard) basis consisting of the 
vectors |+) = ;^(|0) + |1)) and |-) = -i=(|0) - |1)). For 
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example, with respect to the diagonal basis, 
superposition of basis states: 
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Evolution of a closed quatum system can be de- 
scribed by a unitary transformation. If the state of 
a qubit is represented by a column vector then a uni- 
tary transformation U can be represented by a complex- 
valued matrix (uij) such that U = U* , where U* is the 
conjugate-transpose of U (i.e. element ij of U* is Uji). 
U acts by matrix multiplication: 



Moo "01 \ / a 
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A unitary transformation can also be defined by its ef- 
fect on basis states, which is extended linearly to the 
whole space. For example, the Hadamard transforma- 
tion is defined by 



10) ^ Tfl 
|1) ^ Til 

which corresponds to the matrix 
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The Hadamard transformation creates superpositions: 
H|0) = \+) and H|l) = |-). We will also make use of the 
Pauli transformations, denoted by either /, a^jCTy, <Tz or 
""o, O"!, o'2, CTs: 
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A key feature of quantum physics is the role of mea- 
surement. If a qubit is in the state a|0) -|- fi\l) then 
measuring its value gives the result with probability 
|ap (leaving it in state |0)) and the result 1 with proba- 
bility (leaving it in state |1)). Protocols sometimes 
specify measurement with respect to a different basis, 
such as the diagonal basis; this can be expressed as a 
unitary change of basis followed by a measurement with 
respect to the standard basis. Note that if a qubit is 



in state |-|-) then a measurement with respect to the 
standard basis give result (and state |0)) with prob- 
ability i, and result 1 (and state |1)) with probability 
i. If a qubit is in state |0) then a measurement with 
respect to the diagonal basis gives result "'^ (and state 
|-|-)) with probability i, and result 1 (and state |— ))) 
with probability i, because of the representation of |0) 
in the diagonal basis noted above. If a classical bit is 
represented by a qubit using either the standard or di- 
agonal basis, then a measurement with respect to the 
correct basis results in the original bit, but a measure- 
ment with respect to the other basis results in or 1 
with equal probability. This behaviour is used by the 
quantum bit-commitment protocol which we discuss in 
Section^3 

To go beyond single-qubit systems, we consider ten- 
sor products of spaces (in contrast to the cartesian 
products used in classical systems). If spaces U and 
V have bases {mj} and {vj} then U ® V has basis 
{ui ® Vj}. In particular, a system consisting of n 
qubits has a 2"-dimensional space whose standard ba- 
sis is |00 . . .0) . . . |11 . . .1). We can now consider mea- 
surements of single qubits or collective measurements 
of multiple qubits. For example, a 2-qubit system has 
basis |00), |01), |10), |11) and a general state is a|00) -|- 
/3|01) + 7|10) + 5\ll) with |a|2 + |/3|2 + |^|2 + |^|2 = i. 
Measuring the first qubit gives result with probability 



(leaving the system in state 



^|00)- 



l«P + l/3P ' 

/3|01))) and result 1 with probability I7P -|- \6\'^ (leav- 
ing the system in state | ^ | 2^ | ^ | 2 (tIIO) + <^|11)))- Mea- 
suring both qubits simultaneously gives result with 
probability jap (leaving the system in state |00)), re- 
sult 1 with probability |/3|2 (leaving the system in state 
|01)) and so on; note that the association of basis states 
|00), |01), |10), |11) with results 0, 1, 2, 3 is just a con- 
ventional choice. The power of quantum computing, 
in an algorithmic sense, results from calculating with 
superpositions of states; all the states are transformed 
simultaneously [quantum parallelism) and the effect in- 
creases exponentially with the dimension of the state 
space. The challenge in quantum algorithm design is to 
make measurements which enable this parallelism to be 
exploited; in general this is very difficult. 

We will make use of the conditional not (CNot) 
transformation on pairs of qubits. Its action on basis 
states is defined by 



|00)h^|00) |01)h^|01) |10) 



111) 



111) 



|10) 



which can be understood as inverting the second qubit 
if and only if the first qubit is set, although in general 
we need to consider the effect on non-basis states. 



^ Strictly speaking, the outcome of the measurement is just the 
final state; the specific association of numerical results with final 
states is a matter of convention. 
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Systems of two or more qubits can exhibit the phe- 
nomenon of entanglement, meaning that the states of 
the qubits are correlated. For example, consider a mea- 
surement of the first qubit of the state -i=(|00) -|- |11)). 
The result is (and resulting state |00)) with probabil- 
ity or 1 (and resulting state |11)) with probability i. 
In either case a subsequent measurement of the second 
qubit gives a definite (non-probabilistic) result which is 
always the same as the result of the first measurement. 
This is true even if the entangled qubits are physically 
separated. Entanglement illustrates the key difference 
between the use of tensor product (in quantum systems) 
and cartesian product (in classical systems): an entan- 
gled state of two qubits is one which cannot be decom- 
posed as a pair of single-qubit states. Entanglement is 
used in an essential way in the quantum teleportation 
protocol which we discuss in Section^3 That example 
uses the CNot transformation to create entanglement: 
CNot((H®/)|00)) = ^(|00) + |ll)). 

3 Examples of Modelling in CQP 

3.1 A Quantum Coin-Flipping Game 

Our first example is based on a scenario used by Meyer 
^3 to initiate the study of quantum game theory. Play- 
ers P and Q play the following game: P places a coin, 
head upwards, in a box, and then the players take turns 
{Q, then P, then Q) to optionally turn the coin over, 
without being able to see it. Finally the box is opened 
and Q wins if the coin is head upwards. 

Clearly neither player has a winning strategy, but 
the situation changes if the coin is a quantum system, 
represented by a qubit (|0) for head upwards, |1) for 
tail upwards). Turning the coin over corresponds to the 
transformation (Ti, and this is what P can do. But sup- 
pose that Q can apply H, which corresponds to trans- 
forming from head upwards (|0)) to a superposition of 
head upwards and tail upwards (■^(|0)-|-|1))), and does 
this on both turns. Then we have two possible runs of 
the game, (a) and (b): 



and that the Hadamard transformation H is self-inverse: 
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and in each case the coin finishes head upwards. To 
verify this we calculate that the state -i=(|0) -|- |1)) is 
invariant under ai: 

1 0)71(1) =71(1 



72(1 -1)72(1 



1 



1 
1 



Meyer considers game-theoretic issues relating to the 
expected outcome of repeated runs, but we just model 
a single run in CQP (Figure Most of the syntax of 
CQP is based on typed pi-calculus, using fairly com- 
mon notation (for example, see Pierce and Sangiorgi's 
presentation ^3). P and Q communicate by means of 
the typed channel s:^[Qbit] which carries qubits. It is 
a parameter of both P and Q. At the top level. System 
creates s with (new s :^[Qbit]) and starts P and Q in 
parallel. Q and System are also parameterized by x, 
the qubit representing the initial state of the coin. 

Q applies (a; *= H) the Hadamard transformation to 
x; this syntax is based on Selinger's QPL This 
expression is converted into an action by {...}. Using 
a standard pi-calculus programming style, Q creates a 
channel t and sends {s\[x, t]) it to P along with the qubit 
X. P will use t to send the qubit back, and Q receives 
it with t?[z:Qbit], binding it to the name z in the rest 
of the code. Finally Q applies H again, and continues 
with some behaviour C'{z). 

P contains two branches of behaviour, correspond- 
ing to the possibilities of applying (second branch) 
or not applying (first branch) the transformation ai . 
Both branches terminate with the null process 0. The 
branches are placed in parallel^ and the operational se- 
mantics means that only one of them interacts with Q; 
the other is effectively Garbage (different in each case). 

FigureQshows the execution (combining some steps) 
of System according to the operational semantics which 
we will define formally in Section Q Reduction takes 
place on configurations [(7;4>;P) where cr is a list of 
qubits and their collective state, 4> lists the channels 
which have been created, and _P is a process term. Note 
that the state of the qubits must be a global property in 
order to be physically realistic. We record the channels 
globally in order to give the semantics a uniform style; 
this is different from the usual approach to pi-calculus 
semantics, but (modulo garbage collection) is equivalent 
to expanding the scope of every new before beginning 
execution. 

The execution of System tracks the informal cal- 
culation which we worked through above. Our CQP 
model makes the manipulation of the qubit very ex- 
plicit; there are other ways to express the behaviour 
(including putting everything into a single process with 
no communication), but the point is that we have a 
framework in which to discuss such issues. 

^Simpler definitions can be obtained if we add guarded sums 
to CQP; there is then no need for the channel t. This is straight- 
forward but we have chosen instead to simplify the presentation 
of the semantics. 
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P(sr [Qbit]) = s7[y:Qb\t,tr[Qb\t]].t\[y].0 

I s7[y:Qb\t,tr[Qb\tW.{y*=ai}.t\[y].0 

g(a;:Qbit,sr[Qbit]) = {x *= H} . (new t r[Qb\t\){s\[x,t] .t7[z -.Qbk] . {z *= H} . C{z)) 

System {x -.Qbk) = (new s r[Qbit])(_P(s) | Q{x,s)) 

Figure 1: The quantum coin-flipping game in CQP 



X = |0) ; ; System[x) 

^ expand definition 

x= |O);0;(new s r [Qbit])(P(s) | Q{x,s)) 

\, create channel s 

X = \0);s;P{s) \ Q{x,s) 

\. expand definitions 

X = |0) ; s ; 

s?[y:Qb\t,tr[Qb\t]] .t\[y] .0 \ s?[t/ : Qbit, t r [Qbit]] . {y *= ai}.t\[y].0 
I {x *= H} . {ne\N tr[Qb\t]){s\[x,t].t7[z:Qb\t\ . {z *= H} . C{z) 

^ transform x 

* = 7f(|0) + |i));s; 

s?[y:Qb\t,tr[Qb\t]] .t\[y] .0 \ s?[t/ : Qbit, t r [Qbit]] . {y *= ai}.t\[y].0 
I (new t : [Qb\t]){s\[x, t] . t7[z : Qbit] . {z *= H} . C{z)) 

^ create channel t 

x=^m+\l));.s,t; 
s7[y:Qb\t,tr[Qb\t]].t\[y].0 \ s?[t/ : Qbit, t r [Qbit]] . {y *= (Ti}.t\[y].0 
\s\[x,t].t7[z:Qb\t\.{z*=H}.C{z) 

\j communication 

*=7f(|0)+|l));s,^; a;=^(|0) + |l));s,t; 

t![a;].0 I Garbage Garbage \ {x ai} .t\[x] . 

I t7[z : Qbit] . {z *= H} . C{z) \ t7[z : Qbit] . {z *= H} . C{z) 

^ ^ transform x 

x=^m+\l));.s,t; ^=_l=(|0) + |l));s,t; 

I Garbage \ {x *= H} . C(x) Garbage \ t\[x] . 

|t?[z:Qbit].{z*=H}.C(z) 

^ ^ communication 

X =\0);s,t; Garbage] C(x) x = -j^(\0) + ; s,t ; 

Garbage | | {a; *= H} . C(x) 

\. transform x 

X = \0) ; s,t ; Garbage \ C{x) 
Figure 2: Execution of the coin-flipping game 



Alice(x :Qbit, c :^[0..3], z : Qbit) = {z, a; *= CNot} . {z *= H} . c! [measure z,x] .Q 

5o6(t/:Qbit,cr[0..3]) = c?[r :0..3] . {t/ *= crj . Use{y) 

System (x : Qbit, j/ : Qbit, z : Qbit) = (new c :'\0..3]){AUce{x, c, z) | Bob{y, c)) 

Figure 3: Quantum teleportation in CQP 
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\, expand definition 

x,y,z= + ; ; (new cr[Q..3]){Alice{x , c, z) | Boh{y, c)) 

\, create channel c 

x,y,z = -^lOOl) + -^llll) ; c ; Alice{x , c, z) \ Bob{y, c) 

^ expand definitions 

a;,j/,z= ^|001) + ^|lll);c; 
{z,x CNot} . {z *= H} . c! [measure z,x] .0 \ c?[r :0..3] . {y (7^} . Use{y) 

^ permute x,y,z 

z,x,y=j^\WO) + j^\ni);c; 
{z,x CNot} . {z *= H} . c! [measure z,x] .0 \ c?[r :0..3] . {y (7^} . Use{y) 

^ transform z , x 

z,x,y=^\nO)+^\Wl);c; 
*= H} . c! [measure z,x] .0 \ c?[r :0..3] . {y *= (Jr} . Use{y) 

\, transform z 

z,a;,t/= i|001)+ i|010)- i|101)- i|110); c; 
c![measure z, a;] . | c?[r :0..3] . {j/ *= (7^} . Use{y) 

\. measure z , x 

\ • {z,x,y =\00l); a, c; c![0] . | c?[r :0..3] . {j/ *= ar} . Use{y)) 
a\»(z,x,y= |010);a,c; c![l] . | c?[r :0..3] . {t/ *= a^} . Use(y)) 
m\ • {z,x,y =\lOiy, a, c; c![2] . | c?[r :0..3] . {j/ *= a^} . U.se{y)) 
ffli . (z, X, y = JllO); a, c; c![3] . | c?[r :0..3] . {y *= a^} . Use(y)) 

4 \' 



4 ^ 4 ^ 

z,x,y=\mi);c; z,x,y = ■,c; 

c![0] .0 I c?[r:0..3] . c![l] .0 | c?[r:0..3] 

{t/ *= (Tr} . [/se(t/) {j/ *= (Tr} . ?7se(t/) 

; ; 

z,x,y=\mi);c; z,x,y = ■,c; 

{y (To) . Use{y) {y ^= (Ti) . Use{y) 

; ; 

z,x,y=\mi);c; z,x,y = ■,c; 

Use{y) Use{y) 



4 \' 

z,x,y= |101);c; 
c![2].0 |c?[r:0..3]. 
{t/ *= (Tr} . Use{y) 

i 

z,x,y= |101);c; 
{y *= 0-2} • t^se(t/) 

; 

z,x,y= -i|101);c; 
Use{y) 



z,x,y= |110);c; 
c![3] .0 I c?[r:0..3] . 
{y *= (Tr} . ?7se(t/) 

^ communication 

z,x,y= |110);c; 
{y *= 0-3} • Use{y) 

^ transform y 

z,x,y= -|lll);c; 
Use{y) 



Figure 4: Execution of the quantum teleportation protocol 



^/«ce'(sr[Qbit], cr[0..3], z:Qbit) = s?[a;:Qbit] .AUce{x,c,a) 
Bob'{tr[Qh\i\,cr[0..3]) = t7 [y -.Qhh]. Bob {y,c) 

Source{s r [Qbit], t ^[Qbit]) = (qbit x, y){{x *= H} . {«, t/ *= CNot} . s\[x] . t\[y\ . 0) 

System' {z:Qb\\.) = (new c T [0..3], s ^[Qbit], t r[Qbit])(^/«ce'(s, c, z) | Bob'{t,c) \ Source{s,t)) 

Figure 5: Quantum teleportation with an EPR source 
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AUce{x:B\t,xs:B\t List, c r[Qbit], r[Bit], e ^[Int], / ^[Bit List]) = 
e![length(a;s)] . AUceSend{x, length(a;s), xs, xs, c, d, e, /) 

AliceSend(x:E\t, n:\nt, xs:E\t List,t/s:Bit List, c ^[Qbit], r[Bit], e ^[Int], / ^[Bit List]) = 

if n = then AUceReceive{x, length (j/s), ys, c, d, e, /) 

else (qbit q)[ {if \\d[xs) = 1 then q *= else unit} . {if a; = 1 then g *= H else unit} . c\[q] . 
AUceSend{x, n — 1, t\[xs), ys, c, d, e, /)) 

AliceReceive(x:E\t,n:\nt,ys:E\t List, r[Bit], / ^[Bit List]) = dl[g ■.E\t] . d\[x] . f\[ys\ .0 

_Bo6(cr[Qbit], rfr[Bit], e r [Int], / r [Bit List], r r[Bit]) = e?[n : Int] . BobReceive{[],n, c, d, f, r) 

BobRecetve{m : (Bit * Bit) List, n : Int, c ^[Qbit], d r[Bit], e ^[Int], /^[Bit List], r ^[Bit]) = 

if n = then r?[5f :Bit] . d\[g] . d?[a:B\t] . /?[t;s:Bit List] . BobVenfy{m, vs, a, length (m)) 

else c7[x :Qbit] . r7[y: Bit] . {if t/ = 1 then x H else unit} . BobReceive{m@[{y, measure x)],n — I, c, d, r) 

Bob Verify {m:{B\t* Bit) List, t;s: Bit List, a : Bit, n : Int) = 
if n = then Verified 
else if fst(hd(m)) = a then 

if snd(hd(m)) = hd(t;s) then BobVerify{t\{m),t\{vs),a,n — I) 

else NotVerified 
else Bob Verify {t\{m), tl(t;s), a,n — I) 

Random{r :^[Bit]) = (qbit q){{q *= H} . r![measure q] . Random{r)) 

System{x :B\t, xs:B\t List) = 

(new cr[Qbit],rfr[Bit],er[lnt],/r[Bit List], r T [Bit]) 

{Alice{x, xs, c, d, e, /) | Bob{c, d, e, f, r) \ Random{r)) 

Figure 6: Quantum bit-commitment in CQP 

T ::= Int | Unit | Qbit | ^[f] \ Op(l) | Op(2) | . . . 
V ::= a; I I 1 I ... I unit | H | ... 
e ::= v \ measure e \ e e \ e+e 

P ::= \ (P\P) \ el[x:f].P \e\\(^.P \ {e} .P x:T)P \(qb\t x)P 

Figure 7: Syntax of CQP 

V ::=... \q\c 

E ::= [ ] I measure E, e \ measure v, E, e \ ... | measure v, E \ E, e e \ v, E, e e 

I ... \v*=E\ E+e I v+E 
F ::= []7[x:f].P\[m.P\v\[[m.P\v\[v,[m.P\ ... \ v\[v,[]] . P \ {[]} . P 

Figure 8: Internal syntax of CQP 

P\0 = P P\Q = Q\P P\{Q\R) = {P\Q)\R 

(S-Nil) (S-Comm) (S-Assoc) 

Figure 9: Structural congruence 
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3.2 Quantum Teleportation 

The quantum teleportation protocol 4 is a procedure 
for transmitting a quantum state via a non-quantum 
medium. This protocol is particularly important: not 
only is it a fundamental component of several more com- 
plex protocols, but it is likely to be a key enabling tech- 
nology for the development of the quantum repeaters Q 
which will be necessary in large-scale quantum commu- 
nication networks. 

Figure0shows a simple model of the quantum tele- 
portation protocol. Alice and Bob each possess one 
qubit (x for Alice, y for Bob) of an entangled pair whose 
state is -i=(|00) -|- |11)). At this point we are assuming 
that appropriate qubits will be supplied to Alice and 
Bob as parameters of the system. Alice is also parame- 
terized by a qubit z, whose state is to be teleported. She 
applies {z,x *= CNot) the conditional not transforma- 
tion to z and x and then applies (z*=H) the Hadamard 
transformation to z, finally measuring z and x to yield a 
two-bit classical value which she sends (c![measure z, x]) 
to Bob on the typed channel c:^[0..3] and then termi- 
nates (0). Bob receives (c?[r:0..3]) this value and uses 
it to select^ a Fault transformation ctq . . . (T3 to apply 
(t/ *= (Tr) to y. The result is that Bob's qubit y takes 
on the state of z, without a physical qubit having been 
transmitted from Alice to Bob. Bob may then use y in 
his continuation process Use[y). 

This example introduces measurement, with a syn- 
tax similar to that of Selinger's QPL We treat 
measurement as an expression, executed for its value as 
well as its side-effect on the quantum state. Because the 
result of a measurement is probabilistic, evaluation of a 
measure expression introduces a probability distribution 
over configurations: fflo^i^nK • {<^i',4'i'j Pi)- The next 
step is a probabilistic transition to one of the configu- 
rations; no reduction takes place underneath a proba- 
bility distribution. In general a configuration reduces 
non-deterministically to one of a collection of probabil- 
ity distributions over configurations (in some cases this 
is trivial, with only one distribution or only one configu- 
ration within a distribution). A non-trivial probability 
distribution makes a probabilistic transition to a single 
configuration; this step is omitted in the case of a trivial 
distribution. 

Figure0shows the complete execution of System in 
the particular case in which z, the qubit being tele- 
ported, has state The measurement produces a 
probability distribution over four configurations, but 
in all cases the final configuration (process Use[y)) 
has a state consisting of a single basis vector in which 
y = To verify the protocol for an arbitrary qubit, 

^ We can easily extend the expression language of CQP to allow 
explicit testing of r. 



we can repeat the calculation with initial state x,y, z = 
^(1000) +1110)) + ^(1001) + I111)). 

Alice and Bob are parameterized by their parts (x, y) 
of the entangled pair (and by the channel c). We can be 
more explicit about the origin of the entangled pair by 
introducing what is known in the physics literature as 
an EPR source"^ (computer scientists might regard it as 
an entanglement server). This process constructs the 
entangled pair (by using the Hadamard and controlled 
not transformations) and sends its components to Alice 
and Bob on the typed channels s,t :^[Qbit]. Figure 
shows the revised model. 

3.3 Bit-Commitment 

The bit-commitment problem is to design a protocol 
such that Alice chooses a one-bit value which Bob then 
attempts to guess. The key issue is that Alice must 
evaluate Bob's guess with respect to her original choice 
of bit, without changing her mind; she must be com- 
mitted to her choice. Similarly, Bob must not find out 
Alice's choice before making his guess. Bit-commitment 
turns out to be an important primitive in cryptographic 
protocols. Classical bit-commitment schemes rely on 
assumptions on the computational complexity of cer- 
tain functions; it is natural to ask whether quantum 
techniques can remove these assumptions. 

We will discuss a quantum bit-commitment protocol 
due to Bennett and Brassard which is closely related 
to the quantum key-distribution protocol proposed in 
the same paper and known as BB84. The following 
description of the protocol is based on Gruska's O pre- 
sentation. 

1. Alice randomly chooses a bit x and a sequence of 
bits xs. She encodes xs as a sequence of qubits 
and sends them to Bob. This encoding uses the 
standard basis (representing by |0) and 1 by |1)) 
\i X = Q, and the diagonal basis (representing by 
1+) and 1 by |-)) iix=l. 

2. Upon receiving each qubit. Bob randomly chooses 
to measure it with respect to either the standard 
basis or the diagonal basis. For each measurement 
he stores the result and his choice of basis. If the 
basis he chose matches Alice's x then the result of 
the measurement is the same as the corresponding 
bit from xs; if not, then the result is or 1 with 
equal probability. After receiving all of the qubits. 
Bob tells Alice his guess at the value of x. 

3. Alice tells Bob whether or not he guessed correctly. 
To certify her claim she sends xs to Bob. 

^EPR stands for Einstein, Podolsky and Rosen. 
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4. Bob verifies Alice's claim by looking at the mea- 
surements in which he used the basis correspond- 
ing to X, and checking that the results are the same 
as the corresponding bits from xs. He can also 
check that the results of the other measurements 
are sufficiently random (i.e. not significantly corre- 
lated with the corresponding bits from xs). 

Figure shows our model of this protocol in CQP. 
The complexity of the definitions refiects the fact that 
we have elaborated much of the computation which is 
implicit in the original description. The definitions use 
the following features which are not present in our for- 
malization of CQP, but can easily be added. 

• The type constructor List and associated functions 
and constructors such as hd, tl, length, [], @. 

• Product types (*) and functions such as fst, snd. 

• if — then — else for expressions and processes. 

• Recursive process definitions. 

AUce is parameterized by x and xs; they could be ex- 
plicitly chosen at random if desired. Bob uses m to 
record the results of his measurements, and n (received 
from AUce initially) as a recursion parameter. Bob re- 
ceives random bits, for his choices of basis, from the 
server Random; he also guesses x randomly. The state 
BobVenfy carries out the first part of step (4) above, 
but we have not included a check for non-correlation of 
the remaining bits. 

Communication between AUce and Bob uses four 
separate channels, c, . . . , f. This proliferation of chan- 
nels is a consequence of the fact that our type system 
associates a unique message type with each channel. In- 
troducing session types '2h would allow a single channel 
to be used for the entire protocol, although it is worth 
noting that depending on the physical implementation 
of qubits, separation of classical and quantum channels 
might be the most accurate model. 

We intend to use this CQP model as the basis for 
various kinds of formal analysis of the bit-commitment 
protocol; we make some specific suggestions in Sec- 
tion Q We should point out, however, that this bit- 
commitment protocol is insecure in that it allows Alice 
to cheat: if each qubit which she sends to Bob is part of 
an entangled pair, then Bob's measurements transmit 
information back to Alice which she can use to change 
X after receiving Bob's guess. The real value of quan- 
tum bit-commitment is as a stepping-stone to the BB84 
quantum key-distribution protocol, which has a very 
similar structure and is already being used in practical 
quantum communication systems. 



4 Syntax and Operational Semantics 

We now formally define the syntax and operational se- 
mantics of the core of CQP, excluding named process 
definitions and recursion, which can easily be added. 

4.1 Syntax 

The syntax of CQP is defined by the grammar in Fig- 
ureQ Types T consist of data types such as Int and Unit 
(others can easily be added), the type Qbit of qubits, 
channel types ^[Ti, . . . , T„] (specifying that each mes- 
sage is an n-tuple with component types Ti, . . . ,T„) and 
operator types Op(n) (the type of a unitary operator on 
n qubits). The integer range type 0..3 used in the tele- 
portation example is purely for clarification and should 
be replaced by Int; we do not expect to typecheck with 
range types. 

We use the notation T = Ti, . . . ,T„ and e = 
ci, . . . , e„ and write \e\ for the length of a tuple. Values 
V consist of variables (x, y, z etc.), literal values of data 
types (0, 1, . . . and unit) and unitary operators such as 
the Hadamard operator H . Expressions e consist of val- 
ues, measurements measure ei,...,e„, applications of 
unitary operators ei, . . . , e„ *= e, and expressions in- 
volving data operators such as e -|- e' (others can easily 
be added). Note that although the syntax refers to mea- 
surements and transformation of expressions e, the type 
system will require these expressions to refer to qubits. 
Processes P consist of the null (terminated) process 0, 
parallel compositions P \Q, inputs e1\x:T\ .P (nota- 
tion: X :T = xi :Ti, . . . , x„ :T„, declaring the types of 
all the input-bound variables), outputs e![e] . _P, actions 
{e} . P (typically e will be an application of a unitary 
operator), channel declarations (new x:T)P and qubit 
declarations (qbit x)P. In inputs and outputs, the ex- 
pression e will be constrained by the type system to 
refer to a channel. 

The grammar in Figure defines the internal syn- 
tax of CQP, which is needed in order to define the op- 
erational semantics. Values are extended by two new 
forms: qubit names q, and channel names c. Evalu- 
ation contexts E[] (for expressions) and F[] (for pro- 
cesses) are used in the definition of the operational se- 
mantics, in the style of Wright and Felleisen j^j. The 
structure of £"[] is used to define call- by- value evalua- 
tion of expressions; the hole [] specifies the first part of 
the expression to be evaluated. The structure of is 
used to define reductions of processes, specifying which 
expressions within a process must be evaluated. 

Given a process P we define its free variables fv{P), 
free qubit names fq{P) and free channel names fc{P) 
in the usual way; the binders (of x or x) are y7[x:T], 
(qbit x) and (new x:T). 



9 



(cr; (f); u+v) — (a; 4>; w) if u and v are integer literals and u -\- v = w 



fR-PLUS) 



(90, 



, qn-i = ao\-ipo) H h a-j'^-il'ip-j'^-i); ij>; measure go,..., Qr-i) 



where = 2"-''m, = 2"-''(m + 1) - 1, p„ = \aij^ H h |at,„P 

{qo,...,q„-i = \-ip);(j>;qo,...,qr-i *= ?7) — ^„ (go,---,gn-i = (?/ (E> I„-r)\ip);'i>;un\t) 
where U is a unitary operator of arity r 

(go, • • • , qn-i = <l>; e) — ^„ (g,r(o), • • • , g7r(n-i) = niV-); <l>; e) 

where tt is a permutation and 11 is the corresponding unitary operator 



{cr;ij>;e) 



Pi • (o-i] (f)i; ei) 



■,<i>;E[e]) 



3i Pi • {o-i;<i>i; E[ei]) 



(R-Measure) 



(R-Trans) 



(R-Perm) 



(R-Context) 



Figure 10: Reduction rules for expression configurations 



4.2 Operational Semantics 

The operational semantics of CQP is defined by reduc- 
tions (small-step evaluations of expressions, or inter- 
process communications) and probabilistic transitions. 
The general form of a reduction is t — > ffl,- pi • ti where 
t and the ti are configurations consisting of expres- 
sions or processes with state information. The nota- 
tion fflj- Pi • ti denotes a probability distribution over 
configurations, in which T,iPi = 1; we may also write 
this distribution as pi • ti ffl • • • ffl p„ • t„. If the proba- 
bility distribution contains a single configuration (with 
probability 1) then we simply write t — > t' . Probabil- 
ity distributions reduce probabilistically to single con- 
figurations: fflj- Pi •ti ti (with probability pi, the 
distribution ffl,- pi •ti reduces to ti). 

The semantics of expressions is defined by the re- 
duction relations — and — (Figure both 
on configurations of the form (a; 4>; e). If n qubits have 
been declared then a has the form qo, ■ ■ ■ , q-n-i = IV") 
where \tp) = ao\ipo) + ••• + a2»-i |V'2''-i) is an el- 
ement of the 2"-dimensional vector space with basis 
IV-o) = |0...0),...,|V'2'.-i) = I1...1). The remain- 
ing part of the configuration, (f), is a list of channel 
names. Reductions — are basic steps of evalua- 
tion, defined by the rules R-Plus (and similar rules for 
any other data operators), R-Measure and R-Trans. 
Rule R-Perm allows qubits in the state to be per- 
muted, compensating for the way that R-Measure and 
R-Trans operate on qubits listed first in the state. 
Measurement specifically measures the values of a col- 
lection of qubits; in the future we should generalize to 
measuring ohservahles as allowed by quantum physics. 

Reductions — y^ extend execution to evaluation 
contexts £"[], as defined by rule R-CoNTEXT. Note that 
the probability distribution remains at the top level. 



Figure ^3 defines the reduction relation — y on 
configurations of the form (cr; 4>; P). Rule R-EXPR lifts 
reductions of expressions to contexts, again keeping 
probability distributions at the top level. Rule R-CoM 
defines communication in the style of pi-calculus, mak- 
ing use of substitution, which is defined in the usual 
way (we assume that bound identifiers are renamed to 
avoid capture). Rule R-AcT trivially removes actions; 
in general the reduction of the action expression to v 
will have involved side-effects such as measurement or 
transformation of quantum state. Rules R-New and 
R-Qbit create new channels and qubits, updating the 
state information in the configuration. Note that this 
treatment of channel creation is different from standard 
presentations of the pi-calculus; we treat both qubits 
and channels as elements of a global store. Rule R-Par 
allows reduction to take place in parallel contexts, again 
lifting the probability distribution to the top level, and 
rule R-CoNG allows the use of a structural congruence 
relation as in the pi-calculus. Structural congruence is 
the smallest congruence relation (closed under the pro- 
cess constructions) containing a-equivalence and closed 
under the rules in Figure^ 

5 Type System 

The typing rules defined in Figure^3^PPly to the syn- 
tax defined in FigureQ Environments F are mappings 
from variables to types in the usual way. Typing judge- 
ments are of two kinds. F h e : T means that expres- 
sion e has type T in environment F. F h _P means that 
process P is well-typed in environment F. The rules 
for expressions are straightforward; note that in rule 
T-Trans, xi,...,Xn must be distinct variables of type 
Qbit. 
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(go, • • - 



(cr; (f>; e) — Pi • {(^i'^i] ej) 
(cr; (j); F[e\) — > ffl,- pi • {(Ti;(j>i; F[ei]) 

{a; 4>; c![q . P I c7[x:f] . Q) {a; 4>; P \ Q{v/x]) if \v\ = \x\ 

{a;<j,;{v}.P) ^{a;<^;P) 

(cr; (f); (new x '■T)P) — > (cr; (f), c; P{c/x}) where c is fresh 

; (f); (qbit x)P) — > (go, . . .,q„,q = \ip) ® |0); (f); P{q/x}) where q is fresh 

(cr; (?i; P) > ffl,- p,- • (cr,-; c^i,-; Pi) 



ia;^;P\Q) 
P' = P {a:6:P) — 



Hi Pi • (o-i\(i)i\ Pi I Q) 

Pi*{ai-c^i-Pi) Wi.{Pi = P[) 



ia-S-P' 



Pi • {(7i;<i)i;Pl) 



Pi • {(^i;(t>i; Pi) {(^i\(t>i\ Pi) 



(R-Expr) 

(R-Com) 
(R-Act) 
(R-New) 
(R-Qbit) 

(R-Par) 

(R-Cong) 
(R-Prob) 



Figure 11: Reduction rules for process configurations 



In rule T-Par the operation + on environments 
(Definition Q is the key to ensuring that each qubit 
is controlled by a unique part of a system. An implicit 
hypothesis of T-Par is that Fi + F2 must be defined. 
This is very similar to the linear type system for the 
pi-calculus, defined by Kobayashi et al. 

Definition 1 (Addition of Environments) 

The partial operation of adding a typed variable to an 
environment, V -\- x:T, is defined by 

T + x:T = T,x:T if x ^ dom{T) 

T + x:T = F if T ^ Qb\t and X -.T e T 

T + x:T = undefined, otherwise 

This operation is extended inductively to a partial oper- 
ation T + A on environments. 

Rule T-OuT allows output of classical values and 
qubits to be combined, but the qubits must be distinct 
variables and they cannot be used by the continuation 
of the outputting process (note the hypothesis F h _P). 
The remaining rules are straightforward. 

According to the operational semantics, execution of 
(qbit ) and (new ) declarations introduces qubit names 
and channel names. In order to be able to use the type 
system to prove results about the behaviour of execut- 
ing processes, we introduce the internal type system 
(Figure Q. This uses judgements F; S; $ h e : T and 
F; S; $ h P where S is a set of qubit names and $ is 
a mapping from channel names to channel types. Most 
of the typing rules are straightforward extensions of the 
corresponding rules in Figure ^3 Because references 
to qubits may now be either variables or explicit qubit 



names, the rules represent them by general expressions 
e and impose conditions that e is either a variable or 
a qubit name. This is seen in rules IT-Trans and 
IT-OUT. Note that in IT-Par, the operation Si -|- 
is disjoint union and an implicit hypothesis is that Si 
and S2 are disjoint. 

By standard techniques for linear type systems, the 
typing rules in Figure^^can be converted into a type- 
checking algorithm for CQP models. 

As an illustration of the linear control of qubits, con- 
sider the coin-fiipping example (Figure In P, any 
non-trivial continuation replacing would not be able 
to use the qubit y, which has been sent out. In Q, after 
the qubit x has been sent on s, the continuation cannot 
use X. Of course, at run-time, the qubit variable z in 
t7[z : Qbit] is instantiated by x, but that is not a problem 
because P does not use x after sending it. In System, x 
is used as an actual parameter of Q and therefore could 
not also be used as an actual parameter of P (if P had 
a formal parameter of type Qbit). 

6 Soundness of the Type System 

We prove a series of standard lemmas, following the ap- 
proach of Wright and Felleisen leading to a proof 
that typing is preserved by execution of processes (The- 
oremQ. We then prove that in a typable process, each 
qubit is used by at most one of any parallel collection 
of sub-processes (TheoremQ ; because of type preserva- 
tion, this property holds at every step of the execution 
of a typable process. This refiects the physical reality 
of the protocols which we want to model. 
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r h t; : Int if t; is an integer literal 
r h H : Op(2) etc. 
rhe:lnt T h e' : Int 



r h unit : Unit 

T , X :T \- X : T 
The: Qbit 



r h e+e' : Int r h measure e : Int 

Vi.(a;i : Qbit G F) xi. . .x„ distinct T \- U : Op(n) 



r h xi, 



U : Unit 



r h 



Ti h p r2 h 

r,a;:Qbit h P 



T\- X ■.^[Ti,...,T„] T,yi:Ti,...,y„:T„\- P 

x7[yi:Ti,...,y„:T„].P T h (qbit x)P 

r h a; :^[Ti, . . .,T™,Qbit, . . .,Qbit] Vi.(Ti 7^ Qbit) Vi.(r h e,- : T,) t/,- distinct T \- P 



r, t/i :Qbit . . . , t/„ :Qbit h a;![ei, 

r h e : T r h P 



r h {e} 



r,a;r[ri,...,r„]hp 

rh (new xr[Ti,...,Tr,])P 



(T-IntLit/T-Unit) 
(T-Op/T-Var) 

(T-Plus/T-Msure) 
(T-Trans) 
(T-Nil/T-Par) 
(T-In/T-Qbit) 
(T-Out) 
(T-Act/T-New) 



Figure 12: Typing rules 



F; S; $ h t; : Int if t; is an integer literal 
F;S;$ h H : Op(2) etc. 
F;S,g;$ h g : Qbit 
F;S;$he:lnt F;S;$he':lnt 



F;S;$ h unit : Unit 
F,a;:T;S;$ h a; : T 
F;S;$,c:T h c : T 
F;S;$ h e : QbH: 



F;S;$ h e+e' : Int F;S;$ h measure e : Int 

Vi.(F; S; $ h e,- : Qbit) F; S; $ h : Op(«) each e,- is either a;,- or rji, all distinct 

F;i;;$ h ei, . . .,e„ *= [/ : Unit 

Fi;Si;$hP F2;S2;$hQ 
Fi + F2;Si+S2;$hP|0 
,j/„:T„;S;$hP F, a; :Qbit; S; $ h P 



F:S:$ h 



F;S;$ h 
,T„] F,t/i:Ti, 



F;S;$h e?[t/i:Ti,...,t/„:T„].P 



F;S;$ h (qbit a;)P 



F;S;$h e r[T,Qbit] Vi.(Ti ^ Qbit) Vi.(F; S; $ h e,- : T,-) 
Vi.(F;S;$h /i : Qbit) F;S;$^hP 

/ consists of distinct variables fx and distinct qubit names fq 



F,/,:Qbit;S,/g:Qbit;$he![ei, 
F;S;$he:T F;S;$hP 
F;S;<Dh{e}.P 



) Cm ) /l ) • • • ) /n] • -P 

F,a;r[Ti,...,T„];S;$hP 



F;S;$h (new a; r [Ti , . . . , T„])P 



(IT-IntLit/IT-Unit) 
(IT-Op/IT-Var) 
(IT-IdQ/IT-IdC) 

(IT-Plus/IT-Msure) 
(IT-Trans) 
(IT-Nil/IT-Par) 
(IT-In/IT-Qbit) 

(IT-Out) 

(IT-Act/IT-New) 



Figure 13: Internal typing rules 
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We can also prove a standard runtime safety theo- 
rem, stating that a typable process generates no com- 
munication errors or incorrectly-applied operators, but 
we have not included it in the present paper. 

Lemma 1 (Typability of Subterms in E) 

IfV IS a typing derivation concluding F; S; $ h E[e\ : T 
then there exists U such that V has a suhderwation V 
concluding r;S;$ h e :U and the position of V m V 
corresponds to the position of the hole m E[\. 

Proof: By induction on the structure of £"[]. □ 
Lemma 2 (Replacement in E) If 

1. V IS a derivation concluding F; S; $ h E[e\ : T 

2. V IS a suhderiv. of V concluding F; S; $ h e : 

3. the position of V m V matches the hole m E[\ 
I F;S;$ h e' : [/ 

then F;S;$ h E[e'] : T. 

Proof: Replace V in I? by a deriv. of F; S; $ h e' : 

Lemma 3 (Type Preservation for — ) 

// F; S; $ h e : T and {a\(j)\e) — ^„ ^iPi • {ai\(j)i\ei) 
and S = dom{a) and 4> = dom{<^) then 'ii.{cri = a) and 
MiX^i = (f,) and Vi.(F; S; $ h e,- : T). 

Proof: Straightforward from the definition of — by 
examining each case. □ 

Lemma 4 (Type Preservation for — ) 

// F; S; $ h e : T and {cr;(t);e) — ^iPi • {o-i] (f),; Si) 
and T, = dom{a) and 4> = dom{<^) then 'ii.{cri = a) and 
\li.{(t,i = and Vi.(F; S; $ h e,- : T). 

Proof: {cr;(t);e) — ^iPi • {o-i] (f),; Si) is derived by 
R-CoNTEXT, so for some E[] we have e = E[f] and 
Vi.(ei = E[fi]) and {(T;(j>;f) — ^„ fflip,- • (cr,-; /O- 
From F; S; $ h E[f] : T, LemmaOgives F; S; $ h / : [/ 
for some U, Lemma0gives Vi.(F;S;$ h f — i : U) 
and \li.{cri = a) and 'ii.((f)i = (f)), and LemmaQ gives 
Vi.(F;S;$hE[/i] :T). □ 

Lemma 5 (Typability of Subterms in F) 

IfV IS a typing derivation concluding F;S;$ h F[e\ 
then there exists T such that V has a suhderwation V 
concluding F;S;$ h e :T and the position of V m V 
corresponds to the position of the hole m F[\. 

Proof: By case-analysis on the structure of □ 

Lemma 6 (Replacement in _F) // 

1. V IS a derivation concluding F; S; $ h F[e\ 

2. V IS a suhderiv. of V concluding F; S; $ h e : T 



3. the position of V m V matches the hole m F[\ 
I F;S;$ h e' : T 
then F;S;$ h E[e']. 

Proof: Replace V in I? by a deriv. of F; S; $ h e' : T.D 

Lemma 7 (Weakening for Expressions) 

// F; S; $ h e : T anrf F C F' and C Y.' and <^ C $' 
then F';S';$' h e : T, 

Proof: Induction on the derivation of F; S; $ h e : T. □ 
Lemma 8 

//F;S;$ h e : T then fv{e) C dom{T) and fq{e) C S 
and fc{e) C dom{<^). 

Proof: Induction on the derivation of F; S; $ h e : T. □ 
Lemma 9 

//F;S;$ h P thenfv{P) C dom{T) and fq{P) C S and 
fc{P) C rfom($). 

Proof: Induction on the derivation of F; S; $ h _P. □ 

Lemma 10 (Substitution in Expressions) 

Assume that F,S;:T;S;$ h e : T and let v he values 
such that, for each i: 

1. if Ti = Qbit then Vi is a variahle or a quhit name 

2. if Ti = Qbit and Vi = yi (a var) then yi ^T,x:T 

3. ifTi = Qbit and Vi = qi (a quhit name) then qi ^ S 

4. ifTi ^ Qbit then F; S; $ h Vi : Ti. 

Let y he the variahles of type Qbit from v (correspond- 
ing to condition (2)) and assume that they are distinct; 
let q he the quhit names from v ( corresponding to con- 
dition (3)) and assume that they are distinct. Then 
F,y:Qbjt;S,g;$ h e{vlx} : T. 

Proof: Induction on the deriv. of F, S; :T; S; $ h e : T.D 

Lemma 11 (Substitution in Processes) 

Assume that F, S; :T; S; $ h P and let v he values such 
that, for each i: 

1. if Ti = Qbit then Vi is a variahle or a quhit name 

2. if Ti = Qbit and Vi = yi (a var) then yi ^T,x:T 

3. ifTi = Qbit and Vi = qi (a quhit name) then qi ^ S 

4. ifTi 7^ Qbit then F; S; $ h Vi : Ti. 

Let y he the variahles of type Qbit from v (correspond- 
ing to condition (2)) and assume that they are distinct; 
let q he the quhit names from v ( corresponding to con- 
dition (3)) and assume that they are distinct. Then 
T,y:Qb\t;j:,q;<i>^ P{v/x}. 
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Proof: By induction on the derivation of F, x:T; S; $ h 
P. The key cases are T-Par and T-OuT. 

For T-Par the final step in the typing derivation has 
the form 

Fi;Si;$hP F2;S2;$hQ 
F,5:f h P \ Q 

where Fi + F2 = T,x : T and Si + S2 = S. Each 
variable of type Qbit in F,2; : T is in exactly one 
of Fi and F2. Because the free variables of P and 
Q are contained in Fi and F2 respectively, substitu- 
tion into P I Q splits into disjoint substitutions into 
P and Q. The induction hypothesis gives typings for 
P{v/x} and Q{v/x}, which combine (by T-Par) to 
give F,y:Qbjt;S,g;$ h P I □ 

Lemma 12 (Struct. Cong. Preserves Typing) 

IfT;T.;(S>h P and P = Q then F; S; $ h Q. 

Proof: Induction on the derivation of _P = Q. □ 

Lemma 13 (External/Internal Type System) 

F h e : T ^ F; 0; h e : T anrf F h P ^ F; 0; h 

Proof: Induction on the derivations. □ 

Theorem 1 (Type Preservation for — > ) 

// F; S; $ h P and (a; 4>; P) — y HiK • (cj-; 4'i'j Pi) '^f^d 

T, = dom{a) and 4> = dom{<^) then \li.{<Ti = cr) and 
\li.{(t,i = and Vi.(F; S; $ h Pi). 

Proof: By induction on the derivation of (cr; (f); P) — 
fflj'K • (cj! (f^i] Pi) J ill each case examining the final steps 

in the derivation of F; S; $ h _P. □ 

Theorem 2 (Unique Ownership of Qubits) 

// F; S; $ h P I then fq{P) n fq{Q) = 0, 

Proof: The final step in the derivation of F; S; $ h _P | Q 
has the form 

Fi;Si;$hP F2;S2;$hQ 
F;S;$hP|0 

where F = Fi + F2 and S = Si + S2. By Lemma0 
flip) ^ ^1 ^11'^ fl{Q) ^ S2. The implicit hypothesis 
of the typing rule T-Par is that Si + S2 is defined, 
meaning that Si nS2 = 0. Hence fq{P)nfq{Q) = 0.0 

7 Future Work 

Our aim is to develop techniques for formal verifica- 
tion of systems modelled in CQP. In particular we 
are working towards an analysis of the BB84 quan- 
tum key distribution protocol, including both the core 
quantum steps and the classical authentication phase. 



Initially we will use model-checking, in both standard 
(non-deterministic) and probabilistic forms. Standard 
model-checking is appropriate for absolute properties 
(for example, the quantum teleportation protocol (Sec- 
tion ^3 claims that the final state of y is always the 
same as the initial state of z). In general, however, 
probabilistic model-checking is needed. For example, 
the bit-commitment protocol (Section ^3 guarantees 
that, with some high probability which is dependent 
on the number of bits used by Alice, Bob's verification 
step is successful. We have obtained preliminary results 
ll^ini with the CWB-NC Q and PRISM 1(1 systems, 
working directly with the modelling language of each 
tool. The next step is to develop automated transla- 
tions of CQP into these lower-level modelling languages; 
note that our operational semantics matches the seman- 
tic model used by PRISM. 

Another major area for future work is to develop a 
theory of equivalence for CQP processes, as a founda- 
tion for compositional techniques for reasoning about 
the behaviour of systems. 

We can also consider extending the language. It 
should be straightforward to add purely classical fea- 
tures such as functions and assignable variables. Ex- 
tensions which combine quantum data with enhanced 
classical control structures require more care. Valiron's 
^3 recent formulation of a typed quantum lambda cal- 
culus seems very compatible with our approach, and it 
should fit into CQP's expression language fairly easily. 

8 Conclusions 

We have defined a language, CQP, for modelling sys- 
tems which combine quantum and classical communi- 
cation and computation. CQP has a formal operational 
semantics, and a static type system which guarantees 
that transmitting a qubit on a communication channel 
corresponds to a physical transfer of ownership. 

The syntax and semantics of CQP are based on a 
combination of the pi-calculus and an expression lan- 
guage which includes measurement and transformation 
of quantum state. The style of our definitions makes it 
easy to enrich the language. 

Our research programme is to use CQP as the basis 
for analysis and verification of quantum protocols, and 
we have outlined some possibilities for the use of both 
standard and probabilistic model-checking. 
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